[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Errata for NameIDPolicy
> "When a Format defined in Section 8.3.7 is used other than > urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or > urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if > the identity provider returns any assertions, the Format > value of the <NameID> within any <Assertion> MUST be > identical to the Format value supplied in the <NameIDPolicy>. Small clarification, I'd change that to: "value of the <NameID> within the <Subject> of any <Assertion> MUST be..." NameID shows up inside subject confirmation also, just wanted to be precise. > If the Format value is set to > urn:oasis:names:TC:SAML:2.0:nameid-format:persistent and if > the SPNameQualifier is not omitted, then if the identity > provider returns any assertions, the SPNameQualifier value of > the <NameID> within any <Assertion> MUST be identical to the > SPNameQualifier value supplied in the <NameIDPolicy>." I don't think we need to constrain this to persistent. SPNameQualifier is currently a SHOULD NOT as far as using it with anything else because no other format defines its use, but if a new one does, that's fine. I think it should simply be "match it" without regard to the format. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]