OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: W2a: SSO with Attribute Exchange

Proposed high-level changes to Section 3.2 of ID-FF 1.2 to accommodate W-2a: Attribute-based SSO



The main change is to allow attribute statements in returned assertions carried in an AuthNResponse.

The current text in Section 3.2 refers to authentication assertions (lines 512 and 444-445) which appears

to me to be in error. Looking at the remaining text, the intent appears to have been to allow assertions

with authentication statements to be returned. This proposal would extend this to allow the occurrence of attribute statements as well.


The <NameIDPolicy> element in an AuthNRequest carries a hint about the type of information being

requested from the identity provider. The range of values would be extended to include "attribute-based".


The <saml:NameIdentifier> is always provided by the IdP for this case. Depending upon prior agreement

between the IdP and SP, tt may be either be a long-lived pseudonymous identifier or a well-known

identifier drawn from the user profile. The Format attribute of the liberty SubjectType would be extended to include

"pseudonym" or "profile identifier'.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]