OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question - SP authorization check

Hi all,

In SP initiated web SSO, when SAML authentication response is received at SP, the SP apart from other things validate the SAML assertion and creates session of the user at SP.

<saml:Subject>
     <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
                   3f7b3dcf-1674-4ecd-92c8-1544f346baf8
       </saml:NameID>
       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="identifier_1" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05Z"/>
        </saml:SubjectConfirmation>
</saml:Subject>

If NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" then session at SP belongs to which user? because it is an opaque information in NameID. Also how authorization checks will be performed at SP as user is opaque in the assertion.

Thanks for your time.

Regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]