OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: NameID and the use of SPProvidedID


Title: Message
All, there is some contention around the interpretation of SamlCore lines 2433 - 2438 and 2490 - 2492.

"The new identifier value (in plaintext or encrypted form) to be used when communicating with the requesting provider concerning this principal, or an indication that the use of the old identifier has been terminated. In the former case, if the requester is the service provider, the new identifier MUST appear in subsequent <NameID> elements in the SPProvidedID attribute. If the requester is the  identity provider, the new value will appear in subsequent <NameID> elements as the element's content."

...

"In any case, the <saml:NameID> content in the request and its asociated SPProvidedID attribute MUST contain the most recent name identifier information established between the providers for the principal."

This has to do with setting the persistent NameID value using the NewID option of an MNI request.

Assume original NameID is as follows: 

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent">abcd</NameID>

Assume that an SP sets their SPProvidedID to "1234". It is clear that the IDP, upon accepting the new value MUST send any references to this NameID such that the SPProvidedID is specified to "1234"

So an IDP would send

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>

Now consider if the SP needs to intiate an request (e.g., Single Logout). I would content that the SP MUST send the following as well:

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>

Another interpretation is that the SP is allowed to continue to send:

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent">abcd</NameID>

I.e., it never needs to send the value it set in its MNI request that with NewID="1234".

Tom.

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
 
EntrustÒ
Securing Digital Identities
& Information

 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]