[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Errata for NameIDPolicy
------------------------------
Jahan Moreh
Chief Security
Architect
310.288.2141
-----Original Message-----
From: Thomas Wisniewski [mailto:Thomas.Wisniewski@entrust.com]
Sent: Friday, June 03, 2005 5:06 AM
To: SAML
Subject: [security-services] Errata for NameIDPolicyJohan, I'm proposing the following errata text in Core as a two new paragraphs between line 2139 and 2140 related to NameIDPolicy. It centers on insuring that an IDP only returns a NameID that matches a NameIDPolicy (in terms of Format and SPNameQualifier):
"When a Format defined in Section 8.3.7 is used other than urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if the identity provider returns any assertions, the Format value of the <NameID> within any <Assertion> MUST be identical to the Format value supplied in the <NameIDPolicy>.
If the Format value is set to urn:oasis:names:TC:SAML:2.0:nameid-format:persistent and if the SPNameQualifier is not omitted, then if the identity provider returns any assertions, the SPNameQualifier value of the <NameID> within any <Assertion> MUST be identical to the SPNameQualifier value supplied in the <NameIDPolicy>."
Tom.
Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]