RE: [security-services] Affiliation ID

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: [security-services] Affiliation ID

Greg, thanks.

So as a persistent id example using an affiliation id, upon initial access/federation, the IDP would create a opaque id for the user (assume federation is allowed and active) and return it to the SP. If the user uses another SP in the affiliation, then the IDP will "re-use" the opaque id and send it to the SP. It is then up to the SP as to how they handle this.

Is there any notion in ID-FF (I know there's none in Saml) about what MNI means in terms of affiliation ids? I guess one could send it to the owner of the affiliation (if the owner was an SP)? But by definition in the saml metadata spec, the owner does not have to be a member. So I guess (although out of scope), the IDP can allow the MNI to be sent to no SPs, one SP, all SPs (then it becomes like SLO), or to individual SPs (up to the IDP implementer). Does that sound right?

Thanks, Tom.

-----Original Message-----
From: Greg Whitehead [mailto:grw@trustgenix.com]
Sent: Sunday, June 12, 2005 12:46 PM
To: Thomas Wisniewski
Cc: security-services@lists.oasis-open.org
Subject: Re: [security-services] Affiliation ID

Unless this changed from ID-FF, the communication between the SPs that
are members of the affiliation, about the user's NameID, is out of
scope. So, the IdP maintains only one mapping for the affiliation and
treats all members of the affiliation as equal (and is not responsible
for replicating changes among the members).

-Greg

On Jun 12, 2005, at 6:40 AM, Thomas Wisniewski wrote:

> Hi, when an affiliation id is used with persistent identifiers -- it
> is set using SPNameQualifier (primarily dictated by an SP).
>  
> What I'm not clear on is whether the affiliation id is managed at all
> SPs? I.e., does a user have to federate (someone) themselves for each
> of their SPs. So if you have 5 SPs using 1 affiliation and one IDP for
> these 5, does a user have to federate with each 5.
>  
> Put another way, consider MNI, where the SPProvidedID is being changed
> by an SP, or the NameID value is being changed by the IDP. For the
> latter case, does the IDP have to send the MNI request to all SPs? If
> you think about the UI at the IDP, does the user see a federation with
> all 5 SPs  (so the IDP maintains a different value for each of the 5
> SPs).
>  
> Or perhaps the idea is that the IDP maintains only 1 mapping (for all
> 5 SPs). Hence the SPs, someone have a way to acquire the mapped user? 
> Perhaps one of the 5 SPs is the primary, or there is some replication
> taking place?
>  
>  
> Thanks, Tom.
>  
>
> Thomas Wisniewski
> Software Architect
> Phone: (201) 891-0524
> Cell: (201) 248-3668
>  
> EntrustÒ
> Securing Digital Identities
> & Information
>