W3C home > Mailing lists > Public > www-ws-arch@w3.org > July 2002

RE: SAML's authZ token?

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Thu, 25 Jul 2002 17:35:08 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D5523BC4F@SJDCEX01.int.exodus.net>
To: "Hal Lockhart" <hal.lockhart@entegrity.com>, <www-ws-arch@w3.org>
Thanks, Hal.
Joe Hui
Exodus, a Cable & Wireless service 

==============================================

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, July 25, 2002 3:08 PM
To: Joseph Hui; Hal Lockhart; www-ws-arch@w3.org
Subject: RE: SAML's authZ token?


Single signon can be built using the AuthN statement in an assertion (as in Liberty) or by both an AuthN and Attribute statements in an assertion (as in the 2 SAML Browser Profiles).
 
Neither of these is a generalized network single signon. They are attempts in a Web context to work around the limitations of current browsers and the HTTP protocol.
 
SAML authZ token is not a term you will find in any of the SAML docs. I suspect it came from a WS-Security context, as the IBM/MS/Verisign proposal uses the term "security token".
 
Hal

-----Original Message-----
From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
Sent: Thursday, July 25, 2002 5:20 PM
To: Hal Lockhart; www-ws-arch@w3.org
Subject: RE: SAML's authZ token?


Hal,
 
Thanks for the feedback.
 
The first thing came to my mind was the single-sign-on
connotation when "authZ token" was mentioned.
So, does it have the single-sign-on feature in plan?
Also, is "SAML authZ token" an adapted terminology/nomenclature?
 
Regards,
 
Joe Hui
Exodus, a Cable & Wireless service
==============================================

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, July 25, 2002 2:10 PM
To: Joseph Hui; www-ws-arch@w3.org
Subject: RE: SAML's authZ token?



SAML is entirely about Authorization. 

There are three types of statements in Assertions. 

1. Authentication Assertion 
2. Attribute Assertion 

These are intended as inputs to authorization decisions. 

3. Authorization Decision Assertion 

This reports the result of an authorization decision. 

Note that SAML says nothing about how authorization decisions are made. This is what XACML is about. 

Hal 

> -----Original Message----- 
> From: Joseph Hui [ mailto:Joseph.Hui@exodus.net] 
> Sent: Wednesday, July 24, 2002 10:18 PM 
> To: www-ws-arch@w3.org 
> Subject: SAML's authZ token? 
> 
> 
> 
> Hi all, 
> 
> I recall someone from the WSAWG mentioned something 
> to the effect of "using SAML"s authorization token" 
> a while ago.  (It had to be "SAML's," as I remember, 
> because "Passport's" or "Liberty Alliance's" or 
> something else's would have been locked into other 
> cells of my memory.) 
> 
> I'm having difficulty locating where and what SAML does 
> about Authorization.  I did read the "Sec & Privacy Cons 
> for SAML" doc, which a colleague of mine cc'ed me a week 
> prior to the last F2F, circa June.  AuthZ was not there. 
> Was I missing something or simply misinformed? 
> 
> Thanks, 
> 
> Joe Hui 
> Exodus, a Cable & Wireless service 
> 
Received on Thursday, 25 July 2002 20:34:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT