OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AuthenticatingAuthority usage


When looking into SAML proxy processing rules defined in saml core one can find the following statement: The <saml:AuthnStatement> in the new assertion MUST include a <saml:AuthnContext> element containing a <saml:AuthenticatingAuthority> element referencing the identity provider to which the proxying identity provider referred the presenter. If the original assertion
contains <saml:AuthnContext> information that includes one or more
<saml:AuthenticatingAuthority> elements, those elements SHOULD be included in the
new assertion, with the new element placed after them.

I think this is a bit vague description, so I'm wondering about the following things: 1) the AuthenticatingAuthority that references the "identity provider" -> is this the issuer of the SAML response, or the issuer of the assertion itself? 2) what should happen when a proxy receives a SAML response that contains more than one Assertions and/or more than one AuthnStatements? 3) Is there like a special processing rule about recreating equal amount of assertions as what was received from the IdP, or is the proxy allowed to aggregate those into a single assertion? 4) is the "element referencing the identity provider" actually the entityID of the IdP? The rest of the spec(s) used "unique identifier of the IdP" term instead.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]