OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] NameIDPolicy Format use clarification


> Note that section 8.3 of core does not list the
> urn:...:nameid-format:encrypted since it is never actually carried in
> the format attribute of an actual NameID.  It is described in the
> NameIDPolicy element discussion (section 3.4.1.1).  

Correct.

> We should probably list it in the section with a clear explanation of
> where it is used (and not used).

I didn't want to list it in 8.3 because it's not a legal format. It's a
processing rule of the NameIDPolicy element only.

> So is the assumption that if the NameIDPolicy does request an encrypted
> NameID, that the returned NameID should be a persistent identifier?
> IMO, SOMETHING should be stated to be assumed, since otherwise, the
> "...:encrypted" format is not useful.

It is clearly stated:

"The special Format value
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted indicates that the
resulting assertion(s) MUST contain <EncryptedID> elements instead of
plaintext. The underlying name identifier's unencrypted form can be of any
type supported by the identity provider for the requested subject."

Nothing in there is implying you have to use persistent. What did y'all do
to decide what to send before NameIDPolicy existed? ;-)

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]