Seeking a high-level understanding of the Name Identifier Mapping Protocol

["Costello, Roger L." <costello@mitre.org>]

Hi Folks,

 

Consider this scenario:

 

    Entity A knows a principle by the name: j.doe@acompany.com

    Entity B knows the same principle, but by a different name: technowhiz@hotmail.com

    An Identity Provider, IdP, knows the principle by both names

 

Let's suppose that Entity B sends to Entity A a SAML document which identifies the Subject as technowhiz@hotmail.com

 

Well, Entity A doesn't know anyone by this name, so Entity A sends a NameIDMappingRequest to IdP, "Hey, what other names does technowhiz@hotmail.com have?"  Here's how that is generally expressed in XML:

 

    <NameIDMappingRequest>

           <EncryptedID>technowhiz@hotmail.com</EncyrptedID>

    </NameIDMappingRequest>

 

IdP replies with a NameIDMappingResponse, "He also goes by the name: j.doe@acompany.com".  Here's how that is generally expressed in XML:

 

    <NameIDMappingResponse>

           <EncryptedID>j.doe@acompany.com</EncyrptedID>

    </NameIDMappingResponse>

 

Entity A knows the principle by the name j.doe@acompany.com, so Entity A immediately recognizes that Entity B is providing information about a principle that he (Entity A) knows about.

 

Question #1: does this scenario accurately capture the purpose and mechanism of the Name Identifier Mapping Protocol? 

 

Question #2: suppose the principle goes by more than two names; how does IdP reply with all the names?   According to the specification, NameIDMappingReponse can only have one EncryptedID element.  For example, this is what I would like returned from the above request, but is not allowed:

 

    <NameIDMappingResponse>

           <EncryptedID>j.doe@acompany.com</EncyrptedID>

           <EncryptedID>harvard_student901@yahoo.com</EncyrptedID>

    </NameIDMappingResponse>

 

Thanks.  /Roger