[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AuthenticatingAuthority usage
Hi,When looking into SAML proxy processing rules defined in saml core one can find the following statement: The <saml:AuthnStatement> in the new assertion MUST include a <saml:AuthnContext> element containing a <saml:AuthenticatingAuthority> element referencing the identity provider to which the proxying identity provider referred the presenter. If the original assertion
contains <saml:AuthnContext> information that includes one or more<saml:AuthenticatingAuthority> elements, those elements SHOULD be included in the
new assertion, with the new element placed after them.I think this is a bit vague description, so I'm wondering about the following things: 1) the AuthenticatingAuthority that references the "identity provider" -> is this the issuer of the SAML response, or the issuer of the assertion itself? 2) what should happen when a proxy receives a SAML response that contains more than one Assertions and/or more than one AuthnStatements? 3) Is there like a special processing rule about recreating equal amount of assertions as what was received from the IdP, or is the proxy allowed to aggregate those into a single assertion? 4) is the "element referencing the identity provider" actually the entityID of the IdP? The rest of the spec(s) used "unique identifier of the IdP" term instead.