[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] SubjectLocality errata?
If you
look at the schema, you can see that Subject Locality can be an IP address or
DNS name (or both). These are intended to be the values associated with the user
at the time of authentication. There was some sentiment to omit this information
because of the potential for spoofing, but the consensus was that organizations
today (and therefore products) use this information as a part of Authorization
policy decisions. Therefore the fields were retained as optional attributes. I
did lobby for more explicit definition of what the fields mean, especially DNS
name, but the current wording was retained.
My
personal interpretation is that is the IP address in the messages that were
received in the Authentication exchange. The DNS name should be the result of a
reverse lookup on the IP at the time the Authentication was done, but I suppose
a reverse lookup at the time the assertion was generated is also a reasonable
interpretation. Of course, the typical client system using DHCP will probably
not have a DNS name assigned, in which case the attribute should be
omitted.
Since
these fields are optional, you do not have to generate them. If your policy
model does not use them you can ignore them if you receive
them.
Hal
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC