[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] NameIDPolicy Format use clarification
> Note that section 8.3 of core does not list the > urn:...:nameid-format:encrypted since it is never actually carried in > the format attribute of an actual NameID. It is described in the > NameIDPolicy element discussion (section 3.4.1.1). Correct. > We should probably list it in the section with a clear explanation of > where it is used (and not used). I didn't want to list it in 8.3 because it's not a legal format. It's a processing rule of the NameIDPolicy element only. > So is the assumption that if the NameIDPolicy does request an encrypted > NameID, that the returned NameID should be a persistent identifier? > IMO, SOMETHING should be stated to be assumed, since otherwise, the > "...:encrypted" format is not useful. It is clearly stated: "The special Format value urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted indicates that the resulting assertion(s) MUST contain <EncryptedID> elements instead of plaintext. The underlying name identifier's unencrypted form can be of any type supported by the identity provider for the requested subject." Nothing in there is implying you have to use persistent. What did y'all do to decide what to send before NameIDPolicy existed? ;-) -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]