[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Question about affiliationOwnerID
Hello, > The owner ID is informational. Affiliations are only relevant for the > purpose of scoping identifiers. The only place they show up operationally is > in an SPNameQualifier, at least that I can think of right now. > > And no, you would basically never set those to be the same, it doesn't make > any sense. The affiliation is a group, the owner would be a specific entity. Thank you for your prompt reply, and I think I got it. Then I'm also trying to clarify SSO sequence and contents of <AuthnRequest> that use Affiliation described at page 9 in "SAML 2.0 Interoperability Testing Procedures" http://www.projectliberty.org/liberty/content/download/952/6702/file/LAP-SAML-TP-Rev2.0-Final_7192006165451.pdf When I compose <AuthnRequest> to satisfy Step 79-82 in Table 2 in the document above, some questions have come up. For example, when "http://ServiceProvider.com" is a member of affiliation "http://AffiliationA.com", I think AuthnRequest is like below. <samlp:AuthnRequest Consent="...." Destination="http://IdentityProvider.com/SAML/SSO" ForceAuthn="true" ID="...." IsPassive="false" IssueInstant="...." Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ServiceProvider.com/SAML</saml:Issuer> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://IdentityProvider.com/SAML" SPNameQualifier="http://AffiliationA.com" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/> </saml:Subject> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="http://AffiliationA.com" /> </samlp:AuthnRequest> Then ... QUESTION 1: Should Issuer be http://ServiceProvider.com/SAML? QUESTION 2: Should SPNameQualifier attribute of NameID be http://AffiliationA.com? QUESTION 3: Should SPNameQualifier attribute of NameIDPolicy be http://AffiliationA.com by following [SAMLCore] 3.4.1.1 Element <NameIDPolicy>? QUESTION 4: SP signs AuthnRequest by using SP's key( not Affiliation's), right? QUESTION 5: If answer of QUESTION 1 and 4 is "YES", when and which case is Affiliation's key used? (I guess it is only used in encryption/decryption case. IdP encrypts something by using Affiliation's public key, Then SP decrypts that. To do so, affiliation members share a same public-private key pair.) Thanks, -- Hideki
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]