[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML 2.0 – Name Qualifier Question
On 1/7/07, i2ware i2ware < i2coder@gmail.com> wrote:
>
> Note: TB doesn't maintain any Identity just a pass through.
This is an important observation. If the TB does not federate
identifiers, what exactly does it do?
> The SPs maintain the user identity based on IDPs domain name for
> authorization purpose.
>
> In this scenario, what is the standard way to define in SAML document to
> identify the user uniquely when Trusted Broker sends a saml response to sp?
Well, SAML has no notion of "Trusted Broker" so this is not a standard
scenario. In any event, if the TB does not federate identifiers, it
has no choice but to use the identifier produced by the IdP.
> Is below subject nameid correct? Or should NameQualifier be the TB domain
> and the primary IDP should be mentioned in the BaseID?
>
> < saml:NameID Format=" urn:oasis:names:tc:SAML: 2.0:nameid-format:persistent"
> NameQualifier=" idp1.com"> joe</ saml:NameID>
>
> Or
>
> < saml:NameID Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="tb .com">joe </ saml:NameID>
The spec is pretty clear about this. The NameQualifier refers to the
IdP that produced the identifier, which is idp1.com in this case.
> < saml:BaseID Format=" urn:oasis:names:tc:SAML: 2.0:nameid-format:persistent"
> NameQualifier="idp1 .com" SPNameQualifier=" sp1.com"></ saml:BaseID>
The BaseID element is derived from an abstract type, so the above is
not correct. You would need to extend the saml:BaseIDAbstractType and
specify the type of the BaseID element to have this new type.
Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]