[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Seeking a high-level understanding of the Name Identifier Mapping Protocol
Thanks for your response Scott. I
must admit that this paragraph in the Core specification totally threw me
(section 3.8): For example, a service provider that
wishes to communicate with another service provider with whom it does not share an identifier for
the principal can use an identity provider that shares an identifier for the principal with both service
providers to map from its own identifier to a new identifier, generally
encrypted, with which it can communicate with
the second service provider. I (incorrectly) interpreted it to say, if
SP#1 and SP#2 know a principal by different names, then they can request from
an IdP the different names that a principal goes by. Would you (or anyone) give the correct interpretation
of this paragraph?
-----Original Message----- > Well, Entity A doesn't know anyone by this name,
so Entity A > sends a NameIDMappingRequest to IdP, "Hey,
what other names > does technowhiz@hotmail.com
<mailto:technowhiz@hotmail.com> > have?" Here's how that is generally
expressed in XML: That's not the question that a NameIDMappingRequest
asks. It's not "what other names", it's "give me the name with
these properties...". > Question #1: does this scenario accurately
capture the > purpose and mechanism of the Name Identifier
Mapping Protocol? No. See above. It's mainly for cross-walking
federated/persistent IDs across namespaces. Usually the Format is just
"persistent" and the SPNameQualifier is the varying factor. freedom in the representation led to a new Identity
Mapping protocol in WSF 2.0. > Question #2: suppose the principle goes by more
than two > names; how does IdP reply with all the names? It doesn't, that's not the point of the protocol. -- Scott |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]