OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SAML 2.0 – Name Qualifier Question


Hi,

 

  I am new to SAML 2.0 and I have a question on the Name Qualifier in Subject - NameID element.

 

Below is the scenario

 

Let's assume there are 2IDPs, 1 Trusted Broker and 2 SPs.  (Using Browser Post Profile)

 

 

IDPS

 
IDP 1 domain name idp1.com

User: Joe

User: Sam

 

IDP 2  -- domain name idp2 .com

User: Joe

 

TB  - domain name tb.com

 

 

SPs

 

SP1  -- domain name sp1.com

Idp1.com:joe

Idp1.com:sam

Idp2.com:joe

 

SP2   -- domain name sp2.com

Idp1.com.joe

Idp1.com:sam

Idp2.com:joe

 

Let say the user "joe" federated from IDP1 to Trusted Broker. The TB does some process and then federate the user to SP1.

 

Note: TB doesn't maintain any Identity just a pass through.

 

The SPs maintain the user identity based on IDPs domain name for authorization purpose.

 

In this scenario, what is the standard way to define in SAML document to identify the user uniquely when Trusted Broker sends a saml response to sp?

 

Is below subject nameid correct? Or should NameQualifier be the TB domain and the primary IDP should be mentioned in the BaseID?

 

< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier=" idp1.com"> joe</ saml:NameID>

 

 

Or
 

< saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="tb .com">joe </ saml:NameID>

 

< saml:BaseID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp1 .com" SPNameQualifier="sp1.com"></ saml:BaseID>

 

 

Please advice.
 
Thanks in advance!
 
Naveen 

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]