OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML2.0 SSO & identity management

Title: SAML2.0 SSO & identity management

I'm looking at the identity federation model proposed in the SAML 2.0 specs of which
an example is provided in the Technical overview and I have the following question:

SSO SP initiated:

During a Authentication Request the SP could include the NameIDPolicy with SPNameQualifier = persistent, which means that the

SP is asking for a persistent (well known and agreed identifier shared between SP and IDP) identifier for the subject.

This in few words means that in the SAML model the SP drives this. I mean is up to the SP to decide whether the identifier required is persistent or transient.

Now though the problem is in the case of IDP initiated requests,
since the model is based on the IDP returning an AuthResponse without having received a previous Auth request.
How can the IDP decide which Policy to apply ?

It feels right to me that this data NameIdpolicy should somehow be attached to the Subject also in the Response.   

any idea of how this works ?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]