OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Inclusion of Federated Name Registration Protocolin SAML 2.0

> The SP half of the protocol is indeed for those niche cases. I think in
> ID-FF the ability for the IdP to refresh its identifier was added as an
> afterthought, but I think that's actually the more useful half.


I believe that RNI was added *mostly* for the benefit of the IdP, to 
enable update of the NameID, as Scott noted, to better protect the 
privacy of the Principal. I also believe that there are companies out 
there that find this functionality useful, and would like SPs to support 
their periodic refreshing of NameIDs.

Could this not be accomplished by the IdP (optionally) returning a "fresh"
federation identifier as part of the AuthNResponse? That is a modest
extension to an existing protocol vs. the introduction of a whole new
request-response pair.

I have not encountered a single deployment where this functionality is in
use or planned to be used. I would be interested in learning about
deployments where this protocol is in use or will be used.

- prateek

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]