[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Errata for NameIDPolicy
Johan, I'm proposing the following errata text in Core as a two new paragraphs between line 2139 and 2140 related to NameIDPolicy. It centers on insuring that an IDP only returns a NameID that matches a NameIDPolicy (in terms of Format and SPNameQualifier):
"When a Format defined in Section 8.3.7 is used other than urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if the identity provider returns any assertions, the Format value of the <NameID> within any <Assertion> MUST be identical to the Format value supplied in the <NameIDPolicy>.
If the Format value is set to urn:oasis:names:TC:SAML:2.0:nameid-format:persistent and if the SPNameQualifier is not omitted, then if the identity provider returns any assertions, the SPNameQualifier value of the <NameID> within any <Assertion> MUST be identical to the SPNameQualifier value supplied in the <NameIDPolicy>."
Tom.
Thomas Wisniewski
Software Architect
Phone: (201)
891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]