OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: AuthenticatingAuthority usage


1) the AuthenticatingAuthority that references the "identity provider"
-> is this the issuer of the SAML response, or the issuer of the
assertion itself?

Looking at the errata version of the SAML profile spec, I think I have my answer now:
"If the <Response> message is signed or
if an enclosed assertion is encrypted, then the <Issuer> element MUST be present. Otherwise it MAY be omitted. If present it MUST contain the unique identifier of the issuing identity provider;"

"It MUST contain at least one <Assertion>. Each assertion's <Issuer> element MUST contain the
unique identifier of the [E26]responding identity provider;"

So a) I shouldn't use the Response's Issuer as it may be omitted and b) all the assertions within a SAML response should have the same unique identifier in their Issuer element, which is the *responding* identity provider (not the issuing as it was in the non-errata version of the spec).

However it's still a bit unclear what should happen with Assertions containing different AuthenticatingAuthority lists, but I guess that's more of an edge-case really...

Regards,
Peter


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]