[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Errata in ManageNameIDRequest text
See below for proposed text clarification that <NewID>/<NewEncryptedID> usage in <ManageNameIDRequest> is only intended to enable a change (notification of change) in identifier value.
3.x? PEx?: Manage Name ID Request Clarification
First reported by: Scott Cantor, OSU / Brian Campbell, Ping Identity
Documents: Bindings and Profiles
The schema defines the <NewID> element of a <ManageNameIDRequest> as a string. The implication of that is that a NIM request message from IDP to SP can only be used to inform the SP of a change in identifier value (not format – format is immutable once established). There are a few places in the spec where the text implies that the format can be changed. Additionally, the text about <NewEncryptedID> should be expanded to clarify that the encrypted element is just the encrypted <NewID> element and not a full <NameID> as in the more typical <EncryptedID> element used elsewhere.
There are two ways to approach this. 1) Change the schema to allow format and potentially qualifiers to be changed and make all necessary cascading changes to the spec. 2) Update the wording in the spec to bring it inline with the schema as is and clarify that only the value of the identifier can be managed with the NIM profile. Given the complexity and scope of change involved in option 1 and the consensus that option 2 is sufficient and not too limiting, text changes consistent with option 2 are proposed below.
In Profiles change the text on lines 1320-21 from “Subsequently, the identity provider may wish to notify the service provider of a change in the format and/or value that it will use to identify the same principal in the future” to “Subsequently, the identity provider may wish to notify the service provider of a change in the value that it will use to identify the same principal in the future”
In Core change the text on lines 2412-13 from “After establishing a name identifier for a principal, an identity provider wishing to change the value and/or format of the identifier that it will use when referring to the principal,…” to “After establishing a name identifier for a principal, an identity provider wishing to change the value of the identifier that it will use when referring to the principal,…”
In Core add the following text after line 2438, “In either case, if the <NewEncryptedID> is used, its encrypted content is just a <NewID> element containing only the new value for the identifier (format and qualifiers cannot be changed once established).”