OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Réf. : RE: [saml-dev] Question about logout

> About this part :
> "If the IdP gets a request with some other value
> it should treat that as a failure, even if the IdP could *guess* which
> user they caller is talking about."
> 
> Where is this constraint indicated in the spec ?

It isn't because it isn't a constraint. How you identify principals in any
given context is implementation-specific. If you want to implement policies
controlling who can initiate operations around particular principals, you
can do that. It's up to customers what they expect products to do.

The only places there are specific mentions of the need to *not* allow for
identifier "fuzziness" in identifying principals is in subject matching for
some messages and in the NameIDMgmt protocol.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]