Re: [saml-dev] SAML authority

["Tom Scavo" <trscavo@gmail.com>]

On 9/14/06, Manuel Ernstberger <MErnstberger@gmx.de> wrote:
>
> although it might be a bit out of scope for SAML, I'd like to know how a SAML authority can gain information needed for creating assertions. Can it communicate for example with an LDAP directory?

The act of authentication at the identity provider (IdP) *is* out of
scope, but certainly LDAP authentication is common.  The attribute
authority at the IdP may also leverage LDAP to obtain attributes about
a principal.

> And how can it determine whether a subject has been authenticated to an SP?

The IdP (not the SP) is responsible for identifying the principal, so
I'm not sure I understand your question.  An IdP in a particular SAML
V2.0 implementation may maintain state that includes all the SPs it
has issued assertions to (for the purposes of logout, e.g.) but the
IdP is not aware of what access (if any) was granted at a particular
SP.

Hope this helps,
Tom