[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Réf. : RE: [saml-dev] Question about logout
> About this part : > "If the IdP gets a request with some other value > it should treat that as a failure, even if the IdP could *guess* which > user they caller is talking about." > > Where is this constraint indicated in the spec ? It isn't because it isn't a constraint. How you identify principals in any given context is implementation-specific. If you want to implement policies controlling who can initiate operations around particular principals, you can do that. It's up to customers what they expect products to do. The only places there are specific mentions of the need to *not* allow for identifier "fuzziness" in identifying principals is in subject matching for some messages and in the NameIDMgmt protocol. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]