SAML folks and particularly the TC,
On my first reading of the SAML2 spec, my interpretation was that AllowCreate on NameIDPolicy as well the whole NIM protocol/profile were only applicable to subject name identifiers using the format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format and that was how SAML2 achieved account linking. However, the specs didn't explicitly call this out so I sent a message to this list looking for some feedback on that interpretation - and Scott was kind enough to shoot it down :-) see http://lists.oasis-open.org/archives/saml-dev/200501/msg00025.html. Scott has convinced me that there is no unique treatment of the persistent format and that "the whole point is that 'persistent' is *not* particularly special (apart from the privacy orientation)."
Given that, what exactly is the meaning of the spec text below?
"Note that if the requester wishes
to permit the identity provider to establish a new identifier for the
principal if none exists, it MUST include this element with the AllowCreate
attribute set to "true". Otherwise, only a principal for whom the identity
provider has previously established an identifier usable by the requester can
be authenticated successfully. This is primarily useful in conjunction with
the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format value (see
Section 8.3.7)" -- from section 3.4.1.1 of SAML Core but there is
similar wording in various parts of Core and Profiles.
A strict read, I think, implies
that:
- For each principal,
an IDP must keep state about what identifier, if any, it has used to
represent that principal to any particular SP.
- For a given
principal and SP pair, if the IDP hasn't already established an identifier
to represent that principal to that SP, then it cannot do so unless the
AllowCreate flag is set to 'true' in the
<AuthnRequest>.
- Once such an
identifier is established to represent a principal to an SP, the IDP must
use it consistently in the future (until it's changed or
terminated).
This would allow SPs to link
accounts, or not, at their own discretion but independent of the name id
format used.
Is my interpretation still
wrong? I would be interested to hear any of the TC member's
thoughts.
I was particularly surprised to
see what looked like very inconsistent treatment of this issue during the RSA
2005 SAML V2.0 public interop event - particularly with respect to the
AllowCreate attribute. In the "basic use case" requirements it was
clearly stated that for the <NameIDPolicy> of an <AuthnRequest>
"an AllowCreate attribute is OPTIONAL, but if sent must be set to false" and
that the format value must be 'X.509'. In the "optional use case"
requirements the format was required to be 'persistent' and the AllowCreate
attribute was required to be set to true. Where in the basic use
case did the IDP "established an identifier usable by the requester"? It
seems to me that the basic use case demonstrated at the RSA show was not true
to the literal wording of the SAML 2 specification - unless somehow the rules
of the spec change for different name identifier formats or for different
operational modes of the server entities.
Any clarification would be
appreciated,
Brian