[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Question about affiliationOwnerID
> Then I'm also trying to clarify SSO sequence and contents of > <AuthnRequest> that use Affiliation described at page 9 in "SAML 2.0 > Interoperability Testing Procedures" > http://www.projectliberty.org/liberty/content/download/952/6702/file/LAP- > SAML-TP-Rev2.0-Final_7192006165451.pdf I haven't read it, so I'm not telling you anything based on what that says, I can only tell you what's spec-legal or not. > For example, when "http://ServiceProvider.com" is a member of > affiliation "http://AffiliationA.com", > I think AuthnRequest is like below. I think it's close, but you don't use Subject in those cases. > Then ... > QUESTION 1: Should Issuer be http://ServiceProvider.com/SAML? Yes. > QUESTION 2: Should SPNameQualifier attribute of NameID be > http://AffiliationA.com? No, you would almost never use a Subject there. Certainly not an empty one, that isn't sensible. > QUESTION 3: Should SPNameQualifier attribute of NameIDPolicy be > http://AffiliationA.com by following [SAMLCore] 3.4.1.1 Element > <NameIDPolicy>? If that's the identifier scope you want. > QUESTION 4: SP signs AuthnRequest by using SP's key( not Affiliation's), > right? I doubt the affiliation has a key. > QUESTION 5: If answer of QUESTION 1 and 4 is "YES", when and which > case is Affiliation's key used? (I guess it is only used in > encryption/decryption case. IdP encrypts something by using > Affiliation's public key, Then SP decrypts that. To do so, affiliation > members share a same public-private key pair.) I would say never. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]