OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Seeking a high-level understanding of the Name Identifier Mapping Protocol

Hi Folks,
Consider this scenario:
    Entity A knows a principle by the name: j.doe@acompany.com
    Entity B knows the same principle, but by a different name: technowhiz@hotmail.com
    An Identity Provider, IdP, knows the principle by both names
Let's suppose that Entity B sends to Entity A a SAML document which identifies the Subject as technowhiz@hotmail.com
Well, Entity A doesn't know anyone by this name, so Entity A sends a NameIDMappingRequest to IdP, "Hey, what other names does technowhiz@hotmail.com have?"  Here's how that is generally expressed in XML:
IdP replies with a NameIDMappingResponse, "He also goes by the name: j.doe@acompany.com".  Here's how that is generally expressed in XML:
Entity A knows the principle by the name j.doe@acompany.com, so Entity A immediately recognizes that Entity B is providing information about a principle that he (Entity A) knows about.
Question #1: does this scenario accurately capture the purpose and mechanism of the Name Identifier Mapping Protocol? 
Question #2: suppose the principle goes by more than two names; how does IdP reply with all the names?   According to the specification, NameIDMappingReponse can only have one EncryptedID element.  For example, this is what I would like returned from the above request, but is not allowed:
Thanks.  /Roger

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]