OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] AllowCreate in NameIDPolicy element

> I'm trying to understand the AllowCreate attribute of a
> samlp:NameIDPolicy element.

I haven't yet.

> On an operational level, does this mean that computed or transient
> NameIDs cannot be used unless AllowCreate is true?

Strictly speaking, yes, which is why it's been set to true in all Shibboleth releases unconditionally. Transients are sort of out of the mix because they aren't persistent, so it doesn't actually represent ongoing state.

> On the policy level, why should an SP care?

There was a school of thought that the act of establishing a shared identifier represented a major act of significance that users should need to consent to, and as such, an SP would need the ability to "opt out" of having that happen if it hadn't obtained that consent.

It's on par with some of the other "policy" indicators that lawyers seem to like, but is worse in that it defaults in the wrong direction.

In practice I believe it's largely ignored.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]