OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Question about affiliationOwnerID

> Then I'm also trying to clarify SSO sequence and  contents of
> <AuthnRequest> that use Affiliation described at page 9 in "SAML 2.0
> Interoperability Testing Procedures"
> http://www.projectliberty.org/liberty/content/download/952/6702/file/LAP-
> SAML-TP-Rev2.0-Final_7192006165451.pdf

I haven't read it, so I'm not telling you anything based on what that says,
I can only tell you what's spec-legal or not.

> For example, when "http://ServiceProvider.com"; is a member of
> affiliation "http://AffiliationA.com";,
> I think AuthnRequest is like below.

I think it's close, but you don't use Subject in those cases.

> Then ...
> QUESTION 1: Should Issuer be http://ServiceProvider.com/SAML?


> QUESTION 2: Should SPNameQualifier attribute of NameID be
> http://AffiliationA.com?

No, you would almost never use a Subject there. Certainly not an empty one,
that isn't sensible.

> QUESTION 3: Should SPNameQualifier attribute of NameIDPolicy be
> http://AffiliationA.com  by following [SAMLCore] Element
> <NameIDPolicy>?

If that's the identifier scope you want.

> QUESTION 4: SP signs AuthnRequest by using SP's key( not Affiliation's),
> right?

I doubt the affiliation has a key.

> QUESTION 5: If answer of QUESTION 1 and 4 is "YES", when and which
> case is Affiliation's key used? (I guess it is only used in
> encryption/decryption case. IdP encrypts something by using
> Affiliation's public key, Then SP decrypts that. To do so, affiliation
> members share a same public-private key pair.)

I would say never.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]