OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: "previously established an identifier usable by the requester"?

SAML folks and particularly the TC,
On my first reading of the SAML2 spec, my interpretation was that AllowCreate on NameIDPolicy as well the whole NIM protocol/profile were only applicable to subject name identifiers using the format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format and that was how SAML2 achieved account linking.  However, the specs didn’t explicitly call this out so I sent a message to this list looking for some feedback on that interpretation – and Scott was kind enough to shoot it down :-) see http://lists.oasis-open.org/archives/saml-dev/200501/msg00025.html.   Scott has convinced me that there is no unique treatment of the persistent format and that “the whole point is that ‘persistent’ is *not* particularly special (apart from the privacy orientation).”
Given that, what exactly is the meaning of the spec text below?


“Note that if the requester wishes to permit the identity provider to establish a new identifier for the principal if none exists, it MUST include this element with the AllowCreate attribute set to "true". Otherwise, only a principal for whom the identity provider has previously established an identifier usable by the requester can be authenticated successfully. This is primarily useful in conjunction with the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format value (see Section 8.3.7)”  -- from section of SAML Core but there is similar wording in various parts of Core and Profiles.


A strict read, I think, implies that:

  • For each principal, an IDP must keep state about what identifier, if any, it has used to represent that principal to any particular SP.
  • For a given principal and SP pair, if the IDP hasn’t already established an identifier to represent that principal to that SP, then it cannot do so unless the AllowCreate flag is set to ‘true’ in the <AuthnRequest>.
  • Once such an identifier is established to represent a principal to an SP, the IDP must use it consistently in the future (until it’s changed or terminated).


This would allow SPs to link accounts, or not, at their own discretion but independent of the name id format used.


Is my interpretation still wrong?  I would be interested to hear any of the TC member’s thoughts.


I was particularly surprised to see what looked like very inconsistent treatment of this issue during the RSA 2005 SAML V2.0 public interop event – particularly with respect to the AllowCreate attribute.  In the “basic use case” requirements it was clearly stated that for the <NameIDPolicy> of an <AuthnRequest> “an AllowCreate attribute is OPTIONAL, but if sent must be set to false” and that the format value must be ‘X.509’.  In the “optional use case” requirements the format was required to be ‘persistent’ and the AllowCreate attribute was required to be set to true.   Where in the basic use case did the IDP “established an identifier usable by the requester”?  It seems to me that the basic use case demonstrated at the RSA show was not true to the literal wording of the SAML 2 specification – unless somehow the rules of the spec change for different name identifier formats or for different operational modes of the server entities.


Any clarification would be appreciated,



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]