[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] NameID and the use of SPProvidedID
<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>
Now consider if the SP needs to intiate an request (e.g., Single Logout). I would content that the SP MUST send the following as well:
<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent" SPProvidedID="1234">abcd</NameID>
Another interpretation is that the SP is allowed to continue to send:
<NameID NameQualifier="idp" SPNameQualifier="sp" Format="...persistent">abcd</NameID>
I.e., it never needs to send the value it set in its MNI request that with NewID="1234".
This (the SP not having to send the SPProvidedID to the IDP) was the intended behavior when this was designed. The main reason for adding SPProvidedID is to remove a perceived barrier to adoption when potential SPs that we spoke with objected to having to index their data on a nameID provided by the IdP. Note that if we just let the SP define it, you end up with the same problem in reverse.
So we added the SPProvidedID as a token registered by the SP and sent from the IdP to the SP on subsequent assertions, but it was not needed for SP->IdP operations as the IdP keyed its data of the IDP generated identifier.
Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]