OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML2.0 SSO & identity management

Giuseppe Sarno wrote on 10/27/2005, 11:23 AM:

Hi thanks,
The other thing strange (to me anyway) (also looking at 2136)
is that the NameIDPolicy format has persistent/transient/encrypted and etc..
This means I can either have a persistent ID or an encrypted ID in the resulting Assertions, which I think one shouldn't preclude the other.
The thought behind encrypted was that the IdP would choose whether or not the ID is encrypted depending upon the channel through which the assertion was delivered to the consuming party.  This came about because of one of Liberty's web services invocation models where an assertion is delivered to party A to be delivered to party B through a web service invocation and the encrypted ID was used by the IdP to prevent party A from learning the ID for the user at party B.

So encryption wasn't thought to be a decision made or requested by the SP on an authnRequest, but rather a security decsion by the IdP when the assertion is generated (based upon the IdP's security policies).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]