saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Seeking a high-level understanding of the Name Identifier Mapping Protocol
- From: "Costello, Roger L." <costello@mitre.org>
- To: <saml-dev@lists.oasis-open.org>
- Date: Tue, 27 Jun 2006 16:19:45 -0400
Hi
Folks,
Consider
this scenario:
An
Identity Provider, IdP, knows the principle by both names
Let's
suppose that Entity B sends to Entity A a SAML document which identifies the
Subject as technowhiz@hotmail.com
Well,
Entity A doesn't know anyone by this name, so Entity A sends a
NameIDMappingRequest to IdP, "Hey, what other names does technowhiz@hotmail.com have?" Here's how
that is generally expressed in XML:
<NameIDMappingRequest>
</NameIDMappingRequest>
IdP replies
with a NameIDMappingResponse, "He also goes by the name: j.doe@acompany.com". Here's how that is generally
expressed in XML:
<NameIDMappingResponse>
</NameIDMappingResponse>
Entity A
knows the principle by the name j.doe@acompany.com, so Entity A
immediately recognizes that Entity B is providing information about a principle
that he (Entity A) knows about.
Question #1: does this scenario accurately capture the purpose
and mechanism of the Name Identifier Mapping Protocol?
Question #2: suppose the principle goes by more than two names;
how does IdP reply with all the names?
According to the specification, NameIDMappingReponse can only have one
EncryptedID element. For example, this is what I would like returned from
the above request, but is not allowed:
<NameIDMappingResponse>
<EncryptedID>j.doe@acompany.com</EncyrptedID>
<EncryptedID>harvard_student901@yahoo.com</EncyrptedID>
</NameIDMappingResponse>
Thanks. /Roger
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]