[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Suggestion for conformance of NameIdentifier
> Here is an idea. We could state that as a minimum the SAML > consumer must treat unrecognized NameIdentifier formats as > transient. No persistent data would be stored but SSO would > still work without failing. > > This way we have at least some guarantee of interoperability. > Then we could let the SAML providers chose any of the Name > Identifier formats they want. I would have assumed this was implied, so I think the real problem is still just defining what it means to conform. To me, supporting a format as a consumer means nothing except that you can pass the value resulting from SAML authentication to whatever is authenticated. Mapping it in any way (let alone storing it) is out of scope. There just have to be interfaces to appropriately support people that do want to map/store the values, hook the ManageNameID protocol, etc. Anything else, to me, is value-add (or rephrased, bringing out of scope elements in scope). I really just ask what people were doing before. Did nobody support the Kerberos format without somehow assuming you had to be able to turn that into a TGT or something? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]