RE: [security-services] Suggestion for conformance of NameIdentifier

["Scott Cantor" <cantor.2@osu.edu>]

> Here is an idea.  We could state that as a minimum the SAML 
> consumer must treat unrecognized NameIdentifier formats as 
> transient.  No persistent data would be stored but SSO would 
> still work without failing.   
>   
> This way we have at least some guarantee of interoperability. 
>  Then we could let the SAML providers chose any of the Name 
> Identifier formats they want.   

I would have assumed this was implied, so I think the real problem is still
just defining what it means to conform. To me, supporting a format as a
consumer means nothing except that you can pass the value resulting from
SAML authentication to whatever is authenticated. Mapping it in any way (let
alone storing it) is out of scope.

There just have to be interfaces to appropriately support people that do
want to map/store the values, hook the ManageNameID protocol, etc. Anything
else, to me, is value-add (or rephrased, bringing out of scope elements in
scope).

I really just ask what people were doing before. Did nobody support the
Kerberos format without somehow assuming you had to be able to turn that
into a TGT or something?

-- Scott