An Oracle blog about Consulting Security Corner

  • November 30, 2009

Follow-up on OAuth/UMA/SPML

Guest Author

Clark Sanford gave me some insightful comments on my OAuth/UMA/SPML/Federated Provisioning post.

In particular he's trying to promote the use of SAML Attribute Query as the way to provide callback in Federated Provisioning:
In the scenario Nishant describes where the original Assertion doesn't contain all the attributes/claims they want for provisioning, in a SAML implementation why couldn't the SP service initiate the Assertion Query profile to retrieve the desired additional attributes from the IdP service?
I think it's important to keep in mind the real competition isn't between SAML or OAuth or SPML. Rather the real competition is to convince people that they shouldn't be doing manual data entry (and storage) of person/identity data. That it is in fact queryable. That's the big hurdle.

Then the second hurdle is actually how to implement this. While SAML Attribute Query would seem to be a preferred choice (standard, most if not all federation products support it) - I think it's still too hard for the average developer to deploy a solution.

For example - he is something I would like to see details on:

How would a PHP developer write a SAML Attribute Query back to a SAML IDP that worked with any server that supported SAML 2?

Posted via email from Virtual Identity Dialogue

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.