OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Seeking clarification of Name ID Management Profile

> I have a few other questions/comments I've inserted below in our
> previous exchange.

I've initiated several errata to clarify the issues you raised, assuming I
can get agreement on my interpretation.

> Isn't it possible that an Assertion might be passed on to a different SP
> through a mechanism other than Web SSO (say Assertion Query/Request
> Profile)?  In this case, how would the SP processing the Assertion know
> which NameID value to use?

SSO and forwarding don't mix. Even ignoring that, multi-party use cases
usually involve token transformation, identifier mapping, encryption, etc.
You can't get any of that from any profiles in SAML 2. It's separate work.

By definition, a subject containing SPProvidedID is a pairwise subject. From
a privacy standpoint, even if you had a global identifier in the NameID that
was shared, once you add the alias in there, you really shouldn't be passing
it around to anybody else. That's fairly intuitive, I think.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]