[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Seeking clarification of Name ID Management Profile
> I have a few other questions/comments I've inserted below in our > previous exchange. I've initiated several errata to clarify the issues you raised, assuming I can get agreement on my interpretation. > Isn't it possible that an Assertion might be passed on to a different SP > through a mechanism other than Web SSO (say Assertion Query/Request > Profile)? In this case, how would the SP processing the Assertion know > which NameID value to use? SSO and forwarding don't mix. Even ignoring that, multi-party use cases usually involve token transformation, identifier mapping, encryption, etc. You can't get any of that from any profiles in SAML 2. It's separate work. By definition, a subject containing SPProvidedID is a pairwise subject. From a privacy standpoint, even if you had a global identifier in the NameID that was shared, once you add the alias in there, you really shouldn't be passing it around to anybody else. That's fairly intuitive, I think. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]