OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] extending SubjectLocality

On 2/2/07, Cahill, Conor P <conor.p.cahill@intel.com> wrote:
> The locality specifies the domain name and IP address for
> the *system from which the assertion subject apparently
> authenticated*.  It's about where the authentication came from
> and not about the subject itself.

Conor, I'm having a hard time understanding the distinction you're
trying to make.  Can you give an example that illustrates your point?

> If you're trying to make the same kind of statement
> (e.g.  "that the system from which the assertion subject
> apparantely authenticated is in the US") then it should
> go in the AuthnStatement.

Since the country is determined by the IP address, I'm pretty sure
this is the correct interpretation.  However, I'm not sure how to
include the country code in a SAML V2.0 AuthnStatement, let alone a
SAML V1.1 AuthenticationStatement (hence, my original post).

> If, on the other hand, you're trying to say that the
> Subject is in the US,  then you should use an
> attribute statement.  Whether or not you can make this
> latter statement is a different matter.

Conor, I don't know what you mean by "Subject is in the US."  Do you
mean that the Subject is a resident of the US (by some definition of


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]