[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Inclusion of Federated Name Registration Protocolin SAML 2.0
> > The SP half of the protocol is indeed for those niche cases. I think in > ID-FF the ability for the IdP to refresh its identifier was added as an > afterthought, but I think that's actually the more useful half. <JohnK> I believe that RNI was added *mostly* for the benefit of the IdP, to enable update of the NameID, as Scott noted, to better protect the privacy of the Principal. I also believe that there are companies out there that find this functionality useful, and would like SPs to support their periodic refreshing of NameIDs. <JohnK> Could this not be accomplished by the IdP (optionally) returning a "fresh" federation identifier as part of the AuthNResponse? That is a modest extension to an existing protocol vs. the introduction of a whole new request-response pair. I have not encountered a single deployment where this functionality is in use or planned to be used. I would be interested in learning about deployments where this protocol is in use or will be used. - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]