[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AuthenticatingAuthority usage
Hi,When looking into SAML proxy processing rules defined in saml core one can find the following statement: The <saml:AuthnStatement> in the new assertion MUST include a <saml:AuthnContext> element containing a <saml:AuthenticatingAuthority> element referencing the identity provider to which the proxying identity provider referred the presenter. If the original assertion
contains <saml:AuthnContext> information that includes one or more<saml:AuthenticatingAuthority> elements, those elements SHOULD be included in the
new assertion, with the new element placed after them.I think this is a bit vague description, so I'm wondering about the following things: 1) the AuthenticatingAuthority that references the "identity provider" -> is this the issuer of the SAML response, or the issuer of the assertion itself? 2) what should happen when a proxy receives a SAML response that contains more than one Assertions and/or more than one AuthnStatements? 3) Is there like a special processing rule about recreating equal amount of assertions as what was received from the IdP, or is the proxy allowed to aggregate those into a single assertion? 4) is the "element referencing the identity provider" actually the entityID of the IdP? The rest of the spec(s) used "unique identifier of the IdP" term instead.
Regards, Peter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]