{"id":721,"date":"2007-03-25T00:36:12","date_gmt":"2007-03-25T08:36:12","guid":{"rendered":"\/?p=721"},"modified":"2007-03-25T00:43:18","modified_gmt":"2007-03-25T08:43:18","slug":"delegation-requires-multiple-tokens","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=721","title":{"rendered":"Delegation requires multiple tokens"},"content":{"rendered":"<p>ID Maan <a href=\"\/?p=703#comments\">comments<\/a>:<\/p>\n<blockquote><p>Little puzzled with your views respect to SAML:<\/p>\n<p>&#8220;It is a lot cleaner for this scenario than the single-token designs such as SAML, proposed by Liberty, or the consequent \u00e2\u20ac\u0153disappearing\u00e2\u20ac\u009d of the user.&#8221;<\/p>\n<p>As I understand WS-Trust is a token agnostic protocol. Delegation on other hand can be essentially considered as the capability of the securty token. So, isn&#39;t WS-Trust in a way dependent on the security token capabilities to provide for delegation? In other words, if you state SAML is insufficient to solve delegation problem, so is WS-Trust protocol that uses SAML tokens?<\/p><\/blockquote>\n<p>No&nbsp;wonder&nbsp;he is&nbsp;puzzled.&nbsp; I should have been clearer.&nbsp; Let me try again.<\/p>\n<p>We all agree the SAML token&nbsp;is a fine and good way of expressing sets of claims.<\/p>\n<p>But beyond the token,&nbsp;there is the SAML protocol &#8211; one way of moving SAML tokens around.&nbsp;<\/p>\n<p>I think&nbsp;the SAML protocol&nbsp;suffers from having a single-token design.&nbsp; Why?<\/p>\n<p>I don&#39;t think delegation problems can be solved through a single token.&nbsp; Once you are expressing the identities of both a user and a delegate, you need to be able to request and convey two (or more) tokens &#8211; in the sense of integral things from separate sources.&nbsp; In the simplest case, one represents the user, one the delegate.<\/p>\n<p>To be clear, I wasn&#39;t hitting on the SAML protocol in all its applications.&nbsp; I was arguing that WS-Trust, which has the ability to move and request multiple tokens simultaneously and establish relationships between them, solves the delegation problem more cleanly from an architectural point of view.&nbsp;<\/p>\n<p>When SAML was being elaborated, before the user-centric identity wave, we saw the user as being represented by the portal service.&nbsp; She had no independent existence.&nbsp; So you didn&#39;t need multiple tokens.<\/p>\n<p>Since Identity 2.0, all this has changed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In delegation applications, the SAML protocol suffers from having a single-token design&#8230;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/721"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=721"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/721\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}