OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML 2.0 – Name Qualifier Question



  I am new to SAML 2.0 and I have a question on the Name Qualifier in Subject - NameID element.


Below is the scenario


Let's assume there are 2IDPs, 1 Trusted Broker and 2 SPs.  (Using Browser Post Profile)




IDP 1 domain name idp1.com

User: Joe

User: Sam


IDP 2  -- domain name idp2 .com

User: Joe


TB  - domain name tb.com





SP1  -- domain name sp1.com





SP2   -- domain name sp2.com





Let say the user "joe" federated from IDP1 to Trusted Broker. The TB does some process and then federate the user to SP1.


Note: TB doesn't maintain any Identity just a pass through.


The SPs maintain the user identity based on IDPs domain name for authorization purpose.


In this scenario, what is the standard way to define in SAML document to identify the user uniquely when Trusted Broker sends a saml response to sp?


Is below subject nameid correct? Or should NameQualifier be the TB domain and the primary IDP should be mentioned in the BaseID?


< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier=" idp1.com"> joe</ saml:NameID>




< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="tb .com">joe </ saml:NameID>


< saml:BaseID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp1 .com" SPNameQualifier="sp1.com"></ saml:BaseID>



Please advice.
Thanks in advance!



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]