OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Any common identity creation profile?

Simply put, we have a SAML IdP, and some applications that act as SPs for SSO.

One issue that we have is that we can create an identity on the SSO IdP, and when a user hits an application, we have attributes in the payload that the application can use to update local identity information, preferences, etc. for the person logging in, and it can create these on the fly the first time the user shows up.

The issue we have is that there's no way for an administrator of the local application to do any provisioning of users before they log in because the application has never seen the user before.

So, we want to create a process to push identities out to the compatible applications, so that will be possible.

But, we don't really have a protocol we can use to do it.

We were that rather than contrive a complete format out of whole cloth that we could leverage a SAML Assertion with a stack of Attributes for this, since it can carry all of the information we need, and we already have some SAML processing code to deal with SSO. Plus it would be nice to leverage the signing code.

SAML Core has the Name Identifier Management Protocol. This appears to be designed to manage changing and updating of the identifier. But doesn't offer any mechanism of sharing attributes, and it has not mechanism for actually creating an identifier.

My question is simply if there's an existing profile in common use I could leverage already, and/or any pointers on how to leverage a SAML assertion in my own payload. Can I simply make my own RequestType that extends RequestAbstractType, and add an Assertion element to the request? Is that the best way to do this?

Thanks for any pointers.


Will Hartung

CONFIDENTIALITY NOTICE: The information contained in this electronic transmission may be confidential. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by email reply and then erase it from your computer system.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]