Re: [plasma] URL of identity provider in plasma response

"Jim Schaad" <> Thu, 05 July 2012 17:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A54E21F85A2 for <>; Thu, 5 Jul 2012 10:33:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JVAv1HhX331F for <>; Thu, 5 Jul 2012 10:33:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2D74E21F85AC for <>; Thu, 5 Jul 2012 10:33:35 -0700 (PDT)
Received: from Tobias ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 7FB6B38F13; Thu, 5 Jul 2012 10:33:48 -0700 (PDT)
From: Jim Schaad <>
To: 'Alan Borland' <>,
References: <>
In-Reply-To: <>
Date: Thu, 05 Jul 2012 10:32:28 -0700
Message-ID: <045101cd5ad4$26d3e540$747bafc0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0452_01CD5A99.7A8C17B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG2A3opt7WzVRjrdfb0MMYs9XyRW5dJoQqQ
Content-Language: en-us
Subject: Re: [plasma] URL of identity provider in plasma response
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jul 2012 17:33:36 -0000

That is an interesting idea, and one that we should look at.  I was not at
the meeting in Reston.  Currently it will return the set of attributes that
are required to the requestor, but not a set of attribute authorities. 




From: [] On Behalf Of
Alan Borland
Sent: Thursday, July 05, 2012 3:09 AM
Subject: [plasma] URL of identity provider in plasma response




At our meeting in Reston I thought it was described how a client could send
a Plasma Request without an Authentication element.  In this case the Plasma
Server would return a Plasma Response to the client containing the URL of
the Identity Provider (adfs) to authenticate with.  The client must then
authenticate with the Identity Provider and re-submit the Plasma Request
with the completed Authentication element (including the assertion returned
by adfs)  However, I can't find any of this described in the draft RFCs - Is
this yet to be described or have I misunderstood something?