OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML 2.0 SPProvidedID

The essence of the question is probably: if the IdP has to manage its own NameID and – if present – the SPProvidedID, then why isn’t it possible to simply use the SPProvidedID when talking with the IdP.

Instead – as I read you – both, IdP and SP, have to manage both IDs – instead of only the IdP manages both IDs.

 

From: Cahill, Conor P [mailto:conor.p.cahill@intel.com]
Sent: Dienstag, 21. Februar 2006 15:23
To: Lars Beekmann; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SAML 2.0 SPProvidedID

 

 

The SPProvidedID is there to potentially ease the integration at the SP by allowing the SP to provide its own keying information (protected, of course) to the IdP so that the IdP returns it to the SP upon later interactions (that way the SP doesn't have to re-architect its solution around the federation ID generated by the IdP).

 

The SP MUST always provide the IdP's nameID when interacting with the IdP (so the IdP can build its solution around its own key). 

 

So neither party is forced to maintain an index on their data using the other entity's key.

 

My $.02 is that it is much better for an SP to use the federation id created by the IdP if at all possible as this decreases the possiblity of any information leak across the federation.  This feature was added to the protocols to decrease a potential resistance point to adoption of the protocols by the SP, but only should be used if absolutely necessary.

 

Conor

 

From: Lars Beekmann [mailto:L.Beekmann@intershop.de]
Sent: Tuesday, February 21, 2006 7:53 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] SAML 2.0 SPProvidedID

Hi @ all,

 

Is the SPProvidedID Attribute usable as a kind of foreign key at the IdP? I thought about the following:

  1. Establish Persistent Federation between IdP and SP via Browser SSO Profile (User has Account at both parties)
  2. the SP immediately issues a ManageNameIDRequest to the IdP containing its primary key for the respective user as SPProvidedID
  3. in all following requests to the IdP, the SP uses the SPProvidedID (provided as NameID attribute; omitting the IdP’s NameID String) when referring to the Subject and thus needn’t hold the Subject’s NameID provided by the IdP

Is this possible or does the IdP need the NameID to idenitify the subject?

 

Thanks for any help!

Lars

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]