saml-dev message

Subject: Re: [saml-dev] Question about affiliationOwnerID

From: "Hideki YOKOTA" <hideki.yokota@gmail.com>
To: saml-dev@lists.oasis-open.org
Date: Wed, 23 May 2007 11:47:45 +0900

Hello,

> The owner ID is informational. Affiliations are only relevant for the
> purpose of scoping identifiers. The only place they show up operationally is
> in an SPNameQualifier, at least that I can think of right now.
>
> And no, you would basically never set those to be the same, it doesn't make
> any sense. The affiliation is a group, the owner would be a specific entity.

Thank you for your prompt reply, and I think I got it.

Then I'm also trying to clarify SSO sequence and  contents of
<AuthnRequest> that use Affiliation described at page 9 in "SAML 2.0
Interoperability Testing Procedures"
http://www.projectliberty.org/liberty/content/download/952/6702/file/LAP-SAML-TP-Rev2.0-Final_7192006165451.pdf

When I compose <AuthnRequest> to satisfy Step 79-82 in Table 2 in the
document above, some questions have come up.

For example, when "http://ServiceProvider.com"; is a member of
affiliation "http://AffiliationA.com";,
I think AuthnRequest is like below.

<samlp:AuthnRequest Consent="...."
        Destination="http://IdentityProvider.com/SAML/SSO"; ForceAuthn="true"
        ID="...." IsPassive="false"
        IssueInstant="...." Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ServiceProvider.com/SAML</saml:Issuer>
   <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
       <saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                             NameQualifier="http://IdentityProvider.com/SAML";
                            SPNameQualifier="http://AffiliationA.com";
                            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    </saml:Subject>
    <samlp:NameIDPolicy AllowCreate="true"

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                                    SPNameQualifier="http://AffiliationA.com"; />
</samlp:AuthnRequest>

Then ...
QUESTION 1: Should Issuer be http://ServiceProvider.com/SAML?
QUESTION 2: Should SPNameQualifier attribute of NameID be
http://AffiliationA.com?
QUESTION 3: Should SPNameQualifier attribute of NameIDPolicy be
http://AffiliationA.com  by following [SAMLCore] 3.4.1.1 Element
<NameIDPolicy>?
QUESTION 4: SP signs AuthnRequest by using SP's key( not Affiliation's), right?
QUESTION 5: If answer of QUESTION 1 and 4 is "YES", when and which
case is Affiliation's key used? (I guess it is only used in
encryption/decryption case. IdP encrypts something by using
Affiliation's public key, Then SP decrypts that. To do so, affiliation
members share a same public-private key pair.)

Thanks,

--
Hideki

Follow-Ups:
- RE: [saml-dev] Question about affiliationOwnerID
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- Question about affiliationOwnerID
  - From: "Hideki YOKOTA" <hideki.yokota@gmail.com>