OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Affiliation ID

Unless this changed from ID-FF, the communication between the SPs that 
are members of the affiliation, about the user's NameID, is out of 
scope. So, the IdP maintains only one mapping for the affiliation and 
treats all members of the affiliation as equal (and is not responsible 
for replicating changes among the members).


On Jun 12, 2005, at 6:40 AM, Thomas Wisniewski wrote:

> Hi, when an affiliation id is used with persistent identifiers -- it 
> is set using SPNameQualifier (primarily dictated by an SP).
> What I'm not clear on is whether the affiliation id is managed at all 
> SPs? I.e., does a user have to federate (someone) themselves for each 
> of their SPs. So if you have 5 SPs using 1 affiliation and one IDP for 
> these 5, does a user have to federate with each 5.
> Put another way, consider MNI, where the SPProvidedID is being changed 
> by an SP, or the NameID value is being changed by the IDP. For the 
> latter case, does the IDP have to send the MNI request to all SPs? If 
> you think about the UI at the IDP, does the user see a federation with 
> all 5 SPs  (so the IDP maintains a different value for each of the 5 
> SPs).
> Or perhaps the idea is that the IDP maintains only 1 mapping (for all 
> 5 SPs). Hence the SPs, someone have a way to acquire the mapped user?  
> Perhaps one of the 5 SPs is the primary, or there is some replication 
> taking place?
> Thanks, Tom.
> Thomas Wisniewski
> Software Architect
> Phone: (201) 891-0524
> Cell: (201) 248-3668
> Entrust̉
> Securing Digital Identities
> & Information

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]