OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] NameID and the use of SPProvidedID


Title: Message
 

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>

Now consider if the SP needs to intiate an request (e.g., Single Logout). I would content that the SP MUST send the following as well:

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>

Another interpretation is that the SP is allowed to continue to send:

<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent">abcd</NameID>

I.e., it never needs to send the value it set in its MNI request that with NewID="1234". 

This (the SP not having to send the SPProvidedID to the IDP) was the intended behavior when this was designed.   The main reason for adding SPProvidedID is to remove a perceived barrier to adoption when potential SPs that we spoke with objected to having to index their data on a nameID provided by the IdP.   Note that if we just let the SP define it, you end up with the same problem in reverse.

So we added the SPProvidedID as a token registered by the SP and sent from the IdP to the SP on subsequent assertions, but it was not needed for SP->IdP operations as the IdP keyed its data of the IDP generated identifier.

Conor 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]