[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML 2.0 – Name Qualifier Question
Hi,
I am new to SAML 2.0 and I have a question on the Name Qualifier in Subject - NameID element.
Below is the scenario
Let's assume there are 2IDPs, 1 Trusted Broker and 2 SPs. (Using Browser Post Profile)
IDPS
IDP 1 – domain name idp1.comUser: Joe
User: Sam
IDP 2 -- domain name idp2 .com
User: Joe
TB - domain name tb.com
SPs
SP1 -- domain name sp1.com
Idp1.com:joe
Idp1.com:sam
Idp2.com:joe
SP2 -- domain name sp2.com
Idp1.com.joe
Idp1.com:sam
Idp2.com:joe
Let say the user "joe" federated from IDP1 to Trusted Broker. The TB does some process and then federate the user to SP1.
Note: TB doesn't maintain any Identity just a pass through.
The SPs maintain the user identity based on IDPs domain name for authorization purpose.
In this scenario, what is the standard way to define in SAML document to identify the user uniquely when Trusted Broker sends a saml response to sp?
Is below subject nameid correct? Or should NameQualifier be the TB domain and the primary IDP should be mentioned in the BaseID?
< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier=" idp1.com"> joe</ saml:NameID>
< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="tb .com">joe </ saml:NameID>
< saml:BaseID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp1 .com" SPNameQualifier="sp1.com"></ saml:BaseID>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]