|
The SPProvidedID is there to potentially ease the
integration at the SP by allowing the SP to provide its own keying information
(protected, of course) to the IdP so that the IdP returns it to the SP upon
later interactions (that way the SP doesn't have to re-architect its solution
around the federation ID generated by the IdP).
The SP MUST always provide the IdP's nameID when
interacting with the IdP (so the IdP can build its solution around its own
key).
So neither party is forced to maintain an index on their
data using the other entity's key.
My $.02 is that it is much better for an SP to use the
federation id created by the IdP if at all possible as this decreases the
possiblity of any information leak across the federation. This feature was
added to the protocols to decrease a potential resistance point to adoption of
the protocols by the SP, but only should be used if absolutely
necessary.
Conor
Hi @
all,
Is the SPProvidedID Attribute
usable as a kind of foreign key at the IdP? I thought about the
following:
- Establish Persistent Federation
between IdP and SP via Browser SSO Profile (User has Account at both
parties)
- the SP
immediately issues a ManageNameIDRequest to the IdP containing its primary
key for the respective user as SPProvidedID
- in all
following requests to the IdP, the SP uses the SPProvidedID (provided as
NameID attribute; omitting the IdP’s NameID String) when referring to the
Subject and thus needn’t hold the Subject’s NameID provided by the
IdP
Is this possible or does the IdP
need the NameID to idenitify the subject?
Thanks for any
help!
Lars
|