OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML authority

On 9/14/06, Manuel Ernstberger <MErnstberger@gmx.de> wrote:
> although it might be a bit out of scope for SAML, I'd like to know how a SAML authority can gain information needed for creating assertions. Can it communicate for example with an LDAP directory?

The act of authentication at the identity provider (IdP) *is* out of
scope, but certainly LDAP authentication is common.  The attribute
authority at the IdP may also leverage LDAP to obtain attributes about
a principal.

> And how can it determine whether a subject has been authenticated to an SP?

The IdP (not the SP) is responsible for identifying the principal, so
I'm not sure I understand your question.  An IdP in a particular SAML
V2.0 implementation may maintain state that includes all the SPs it
has issued assertions to (for the purposes of logout, e.g.) but the
IdP is not aware of what access (if any) was granted at a particular

Hope this helps,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]