OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] NameID and the use of SPProvidedID


> I really don't feel strongly about the issue, but I agree 
> with Tom that reading the spec, it isn't very ambiguous to me either.

I think the "problem" came in when moving from ID-FF (which had these
as two separate elements rather than having the SPProvidedNameIdentifier
as an attribute of the NameID) to SAML.

In ID-FF we were pretty explicit of where the SPPRovidedNameIdentifier
needed to be and it was on messages going from IdP to SP.  To quote the
ID-FF spec:

	Otherwise, the identity provider MUST use
	when subsequently communicating to the service provider
regarding the

So I think this requirement came out of an unintended consequence rather
than someone consciously thinking about making this a requirement.

My gut is that we should fix this in the errata (if you can do that
kind of change in errata) but I too don't feel all that strongly about 

I think it is probably more important that we have guidance that 
implementations SHOULD use the IdP NameIdentifier where possible and
SHOULD ONLY use the SPProvidedNameID when they can't configure their
systems to use the IdP's NameID.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]