OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Question about affiliationOwnerID


> The owner ID is informational. Affiliations are only relevant for the
> purpose of scoping identifiers. The only place they show up operationally is
> in an SPNameQualifier, at least that I can think of right now.
> And no, you would basically never set those to be the same, it doesn't make
> any sense. The affiliation is a group, the owner would be a specific entity.

Thank you for your prompt reply, and I think I got it.

Then I'm also trying to clarify SSO sequence and  contents of
<AuthnRequest> that use Affiliation described at page 9 in "SAML 2.0
Interoperability Testing Procedures"

When I compose <AuthnRequest> to satisfy Step 79-82 in Table 2 in the
document above, some questions have come up.

For example, when "http://ServiceProvider.com"; is a member of
affiliation "http://AffiliationA.com";,
I think AuthnRequest is like below.

<samlp:AuthnRequest Consent="...."
        Destination="http://IdentityProvider.com/SAML/SSO"; ForceAuthn="true"
        ID="...." IsPassive="false"
        IssueInstant="...." Version="2.0"
   <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <samlp:NameIDPolicy AllowCreate="true"

                                    SPNameQualifier="http://AffiliationA.com"; />

Then ...
QUESTION 1: Should Issuer be http://ServiceProvider.com/SAML?
QUESTION 2: Should SPNameQualifier attribute of NameID be
QUESTION 3: Should SPNameQualifier attribute of NameIDPolicy be
http://AffiliationA.com  by following [SAMLCore] Element
QUESTION 4: SP signs AuthnRequest by using SP's key( not Affiliation's), right?
QUESTION 5: If answer of QUESTION 1 and 4 is "YES", when and which
case is Affiliation's key used? (I guess it is only used in
encryption/decryption case. IdP encrypts something by using
Affiliation's public key, Then SP decrypts that. To do so, affiliation
members share a same public-private key pair.)



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]