[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Affiliation ID
Unless this changed from ID-FF, the communication between the SPs that are members of the affiliation, about the user's NameID, is out of scope. So, the IdP maintains only one mapping for the affiliation and treats all members of the affiliation as equal (and is not responsible for replicating changes among the members). -Greg On Jun 12, 2005, at 6:40 AM, Thomas Wisniewski wrote: > Hi, when an affiliation id is used with persistent identifiers -- it > is set using SPNameQualifier (primarily dictated by an SP). > > What I'm not clear on is whether the affiliation id is managed at all > SPs? I.e., does a user have to federate (someone) themselves for each > of their SPs. So if you have 5 SPs using 1 affiliation and one IDP for > these 5, does a user have to federate with each 5. > > Put another way, consider MNI, where the SPProvidedID is being changed > by an SP, or the NameID value is being changed by the IDP. For the > latter case, does the IDP have to send the MNI request to all SPs? If > you think about the UI at the IDP, does the user see a federation with > all 5 SPs (so the IDP maintains a different value for each of the 5 > SPs). > > Or perhaps the idea is that the IDP maintains only 1 mapping (for all > 5 SPs). Hence the SPs, someone have a way to acquire the mapped user? > Perhaps one of the 5 SPs is the primary, or there is some replication > taking place? > > > Thanks, Tom. > > > Thomas Wisniewski > Software Architect > Phone: (201) 891-0524 > Cell: (201) 248-3668 > > EntrustÒ > Securing Digital Identities > & Information >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]