OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML 2.0 SPProvidedID


> The essence of the question is probably: if the IdP has to 
> manage its own NameID and - if present - the SPProvidedID, 
> then why isn't it possible to simply use the SPProvidedID 
> when talking with the IdP.

Because then the SP can impose its key on the IdP. That's at least as bad as
the opposite.

> Instead - as I read you - both, IdP and SP, have to manage 
> both IDs - instead of only the IdP manages both IDs. 

An SP never has to do anything because the feature is optional. Doing
anything with the ID at all is optional, in fact, which is why transients
exist.

As a conformance matter, it's mandatory for software to enable the use of
the secondary key, but as a practical matter no SP has to use it and it
would be really cool if nobody did so we can deprecate it someday.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]