[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: "previously established an identifier usable by the requester"?
SAML folks and particularly the TC,
On my first reading of the SAML2 spec, my interpretation was that AllowCreate on NameIDPolicy as well the whole NIM protocol/profile were only applicable to subject name identifiers using the format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format and that was how SAML2 achieved account linking. However, the specs didn’t explicitly call this out so I sent a message to this list looking for some feedback on that interpretation – and Scott was kind enough to shoot it down :-) see http://lists.oasis-open.org/archives/saml-dev/200501/msg00025.html. Scott has convinced me that there is no unique treatment of the persistent format and that “the whole point is that ‘persistent’ is *not* particularly special (apart from the privacy orientation).”
Given that, what exactly is the meaning of the spec text below?
“Note that if the requester wishes to permit the identity provider to establish a new identifier for the principal if none exists, it MUST include this element with the AllowCreate attribute set to "true". Otherwise, only a principal for whom the identity provider has previously established an identifier usable by the requester can be authenticated successfully. This is primarily useful in conjunction with the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format value (see Section 8.3.7)” -- from section 18.104.22.168 of SAML Core but there is similar wording in various parts of Core and Profiles.
A strict read, I think, implies that:
This would allow SPs to link accounts, or not, at their own discretion but independent of the name id format used.
Is my interpretation still wrong? I would be interested to hear any of the TC member’s thoughts.
I was particularly surprised to see what looked like very inconsistent treatment of this issue during the RSA 2005 SAML V2.0 public interop event – particularly with respect to the AllowCreate attribute. In the “basic use case” requirements it was clearly stated that for the <NameIDPolicy> of an <AuthnRequest> “an AllowCreate attribute is OPTIONAL, but if sent must be set to false” and that the format value must be ‘X.509’. In the “optional use case” requirements the format was required to be ‘persistent’ and the AllowCreate attribute was required to be set to true. Where in the basic use case did the IDP “established an identifier usable by the requester”? It seems to me that the basic use case demonstrated at the RSA show was not true to the literal wording of the SAML 2 specification – unless somehow the rules of the spec change for different name identifier formats or for different operational modes of the server entities.
Any clarification would be appreciated,