OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Question concerning linking of principals


> > Problem: a Relying Party wants to query some attributes for a 
> > principal (call him principal B) that has some association with a 
> > principal (call him principal A) that the RP already holds 
> a Name ID for.
> > 
> > Would an appropriate solution be for Principal A to have some 
> > attributes that gives Principal B's NameID and SAML attribute 
> > authority? The RP requests these attributes, using Principal A's 
> > NameID, and then does a second attribute request using these NameID 
> > and AA values? Are there any other approaches to this?
> 
> As Conor said, there are lot of subtleties to it. But for a 
> basic linking use case, I believe the People Service isn't 
> needed. A profile of ID-WSF on top of SAML attribute query 
> can do the job, by using the original IdP to supply, as you 
> say, a NameID and endpoint to use.

My use-case lacks most the gotchas that have been mentioned:
 - both principals are either at a single IdP, or two IdPs within a
single security domain.
 - principal A only has one instance of a principal B at any moment
(although principal B might change regularly over time).
 - principal B is never an active participant.

So I'm inclined to think a profile of People Service, as you suggest, is
most appropriate.

Do SAML implementations typically provide the levers to make these
'after the fact' attribute requests using a different NameID, and
possibly a different authority, from that given in the original SSO
event? For example, does the Shibboleth 2.0 SP Attribute Resolver
support this kind of operation? I'm trying to understand what would make
life easiest for the application developer...

Many thanks, josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]