[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: "previously established an identifier usable by the requester"?
SAML folks and particularly the TC,
On my first reading of the SAML2 spec, my interpretation was that AllowCreate on NameIDPolicy as well the whole NIM protocol/profile were only applicable to subject name identifiers using the format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format and that was how SAML2 achieved account linking. However, the specs didn’t explicitly call this out so I sent a message to this list looking for some feedback on that interpretation – and Scott was kind enough to shoot it down :-) see http://lists.oasis-open.org/archives/saml-dev/200501/msg00025.html. Scott has convinced me that there is no unique treatment of the persistent format and that “the whole point is that ‘persistent’ is *not* particularly special (apart from the privacy orientation).”
Given that, what exactly is the meaning of the spec text below?
“Note that if the requester
wishes to permit the identity provider to establish a new identifier for the
principal if none exists, it MUST include this element with the AllowCreate
attribute set to "true". Otherwise, only a principal for whom the
identity provider has previously established an identifier usable by the
requester can be authenticated successfully. This is primarily useful in
conjunction with the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Format value (see Section 8.3.7)” -- from section 3.4.1.1 of SAML
Core but there is similar wording in various parts of Core and Profiles. A strict read, I think, implies
that:
This would allow SPs to link
accounts, or not, at their own discretion but independent of the name id format
used. Is my interpretation still
wrong? I would be interested to hear any of the TC member’s
thoughts. I was particularly surprised to see
what looked like very inconsistent treatment of this issue during the RSA 2005
SAML V2.0 public interop event – particularly with respect to the
AllowCreate attribute. In the “basic use case” requirements
it was clearly stated that for the <NameIDPolicy> of an
<AuthnRequest> “an AllowCreate attribute is OPTIONAL, but if sent
must be set to false” and that the format value must be
‘X.509’. In the “optional use case” requirements
the format was required to be ‘persistent’ and the AllowCreate
attribute was required to be set to true. Where in the basic use
case did the IDP “established an identifier usable by the
requester”? It seems to me that the basic use case demonstrated at
the RSA show was not true to the literal wording of the SAML 2 specification
– unless somehow the rules of the spec change for different name
identifier formats or for different operational modes of the server entities. Any clarification would be
appreciated, Brian |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]