OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML 2.0 – Name Qualifier Question

Thanks. Please see my comments below.

On 1/8/07, Tom Scavo <trscavo@gmail.com> wrote:
On 1/7/07, i2ware i2ware <i2coder@gmail.com> wrote:
> What I meant was the TB doesn't maintain any user information in its
> repository (persistence). Once the user federates from IDP to TB, TB
> verifies the saml response document and if it is valid then maintains the
> user information(subject value and attributes) sent by IDP in session

Ah, I see.  Okay, in that case the easiest thing to do (it seems) is
for the TB to issue its own transient identifier.  If the IdP asserts
a persistent identifier to the TB, the TB could use that, I suppose,
but the NameQualifier would not change as the identifier flows across

It is the re-assertion of attributes that is most interesting.  Does
the TB repackage the attributes and assert them as its own, or pass
the assertion from the IdP to the SP so that the latter can make its
own decision.  From the scenario that you've described, it seems you
intend to repackage and re-assert the attributes, but that raises some
issues depending on the trust relationships between the various

Yes, TB adds some more additional attributes to what IDP provided. The trust relationship is between IDP and TB , TB and SP.

It looks like using transient identifier is best option. I am planning to change the identifier value too, just to make sure the SP has enough value (incase namequalifier is not enough) to identify the user uniquely.

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="idp1.com" SPNameQualifier="sp1.com">uid=joe,o= idp1.com</saml:NameID>

Does the SP trust the IdP?

No, SP only trust the TB.

> and it
> then displays the list of websites the user can access (sp websites). The
> user clicks on the website, TB federate the user information (contains the
> value sent by IDP) to SP, the SP then validates and create necessary
> credentials and route the user to website.

The TB asserts no new information of its own?  Does the SP trust the
IdP?  If so, you might consider using a <thrpty:RespondTo> element:


Hope this helps,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]