[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Inclusion of Federated Name Registration Protocolin SAML 2.0
ext Mishra, Prateek wrote: > Could this not be accomplished by the IdP (optionally) returning a "fresh" > federation identifier as part of the AuthNResponse? That is a modest > extension to an existing protocol vs. the introduction of a whole new > request-response pair. <JohnK> 1) You'd need to carry two NameIDs in the AuthnResponse. </JohnK> Yes, that is correct. I don't see this as a problem though. <JohnK> 2) The IdP might have to send an "unsolicited" AuthnResponse in order to initiate this change. Would that be an overloading of the AuthnRequest/Response? </JohnK> Why is such an "unsolicited" message needed? Why is it not enough that once a change to handle values is made at the IdP, the "next time" the user transits through the IdP, a pair of opaque handles are returned to the SP via the AuthNResponse. Alternatively a pair of handles could always be returned. There is no other reason or context that requires the SP be informed of this change, is there? - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]