[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Question concerning linking of principals
How does the Relying party know which Principal B that they should query attributes for? Or are you saying that there's only one principal B in Principal A's attributes? In any case, this isn't an easy problem when a) you want to support principals that may be asserted by different identity providers (e.g. Principal B's IDP may not be the same as Principal A's), b) you want to protect the privacy of Principal B (so the nameIDs at each relying party can't be the same), c) you want to support a situation where principal A may have many principal Bs that they may want to interact with and d) you want to invoke the request for Principal B's attributes in an invocation context where Principal B is *not* actively participating (e.g. RP in the context of Principal A visiting their site wants to get to Principal B's attributes/resources). Liberty addressed these issues in the creation of the People Service (essentially a user's IdP for person to person (principal A to principal B) federations) and the extension of ID-WSF to support multiple party transaction (principal A invoking/accessing principal B's attributes/resources). Conor -----Original Message----- From: Josh Howlett [mailto:Josh.Howlett@ja.net] Sent: Wednesday, August 20, 2008 6:59 AM To: SAML Developers Cc: Josh Howlett Subject: [saml-dev] Question concerning linking of principals Problem: a Relying Party wants to query some attributes for a principal (call him principal B) that has some association with a principal (call him principal A) that the RP already holds a Name ID for. Would an appropriate solution be for Principal A to have some attributes that gives Principal B's NameID and SAML attribute authority? The RP requests these attributes, using Principal A's NameID, and then does a second attribute request using these NameID and AA values? Are there any other approaches to this? Thanks for any insight... josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG --------------------------------------------------------------------- To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]