OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Errata for NameIDPolicy

Title: Message
Thanks Tom. I assume this is for PE5 as published in draft 07 of the errata document. I will monitor this list for any discussion and on Tuesday we can hopefully finalize this during our con call.

Jahan Moreh
Chief Security Architect

-----Original Message-----
From: Thomas Wisniewski [mailto:Thomas.Wisniewski@entrust.com]
Sent: Friday, June 03, 2005 5:06 AM
Subject: [security-services] Errata for NameIDPolicy

Johan, I'm proposing the following errata text in Core as a two new paragraphs between line 2139 and 2140 related to NameIDPolicy. It centers on  insuring that an IDP only returns a NameID that matches a NameIDPolicy  (in terms of Format and SPNameQualifier):

"When a Format defined in Section 8.3.7 is used other than urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if the identity provider returns any assertions, the Format value of the <NameID> within any <Assertion> MUST be identical to the Format value supplied in the <NameIDPolicy>.

If the Format value is set to urn:oasis:names:TC:SAML:2.0:nameid-format:persistent and if the SPNameQualifier is not omitted, then if the identity provider returns any assertions, the SPNameQualifier value of the <NameID> within any <Assertion> MUST be identical to the SPNameQualifier value supplied in the <NameIDPolicy>."


Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
Securing Digital Identities
& Information


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]