[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] NameID and the use of SPProvidedID
> I really don't feel strongly about the issue, but I agree > with Tom that reading the spec, it isn't very ambiguous to me either. I think the "problem" came in when moving from ID-FF (which had these as two separate elements rather than having the SPProvidedNameIdentifier as an attribute of the NameID) to SAML. In ID-FF we were pretty explicit of where the SPPRovidedNameIdentifier needed to be and it was on messages going from IdP to SP. To quote the ID-FF spec: Otherwise, the identity provider MUST use <SPProvidedNameIdentifier> when subsequently communicating to the service provider regarding the Principal. So I think this requirement came out of an unintended consequence rather than someone consciously thinking about making this a requirement. My gut is that we should fix this in the errata (if you can do that kind of change in errata) but I too don't feel all that strongly about this. I think it is probably more important that we have guidance that implementations SHOULD use the IdP NameIdentifier where possible and SHOULD ONLY use the SPProvidedNameID when they can't configure their systems to use the IdP's NameID. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]