[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML 2.0 – Name Qualifier Question
On 1/7/07, i2ware i2ware <i2coder@gmail.com> wrote:
>
> What I meant was the TB doesn't maintain any user information in its
> repository (persistence). Once the user federates from IDP to TB, TB
> verifies the saml response document and if it is valid then maintains the
> user information(subject value and attributes) sent by IDP in session
Ah, I see. Okay, in that case the easiest thing to do (it seems) is
for the TB to issue its own transient identifier. If the IdP asserts
a persistent identifier to the TB, the TB could use that, I suppose,
but the NameQualifier would not change as the identifier flows across
boundaries.
It is the re-assertion of attributes that is most interesting. Does
the TB repackage the attributes and assert them as its own, or pass
the assertion from the IdP to the SP so that the latter can make its
own decision. From the scenario that you've described, it seems you
intend to repackage and re-assert the attributes, but that raises some
issues depending on the trust relationships between the various
parties.
> and it
> then displays the list of websites the user can access (sp websites). The
> user clicks on the website, TB federate the user information (contains the
> value sent by IDP) to SP, the SP then validates and create necessary
> credentials and route the user to website.
The TB asserts no new information of its own? Does the SP trust the
IdP? If so, you might consider using a <thrpty:RespondTo> element:
http://www.oasis-open.org/committees/download.php/20199/sstc-saml-protocol-ext-thirdparty-cd-02.pdf
Hope this helps,
Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]