security-services message

Subject: RE: [security-services] NameID and the use of SPProvidedID

From: "Cahill, Conor P" <conor.p.cahill@intel.com>
To: "Scott Cantor" <cantor.2@osu.edu>,"Philpott, Robert" <rphilpott@rsasecurity.com>,"Thomas Wisniewski" <Thomas.Wisniewski@entrust.com>,"SSTC WG" <security-services@lists.oasis-open.org>
Date: Thu, 22 Jun 2006 08:43:21 -0700

 

> I really don't feel strongly about the issue, but I agree 
> with Tom that reading the spec, it isn't very ambiguous to me either.

I think the "problem" came in when moving from ID-FF (which had these
as two separate elements rather than having the SPProvidedNameIdentifier
as an attribute of the NameID) to SAML.

In ID-FF we were pretty explicit of where the SPPRovidedNameIdentifier
needed to be and it was on messages going from IdP to SP.  To quote the
ID-FF spec:

	Otherwise, the identity provider MUST use
<SPProvidedNameIdentifier>
	when subsequently communicating to the service provider
regarding the
	Principal.

So I think this requirement came out of an unintended consequence rather
than someone consciously thinking about making this a requirement.

My gut is that we should fix this in the errata (if you can do that
kind of change in errata) but I too don't feel all that strongly about 
this.

I think it is probably more important that we have guidance that 
implementations SHOULD use the IdP NameIdentifier where possible and
SHOULD ONLY use the SPProvidedNameID when they can't configure their
systems to use the IdP's NameID.


Conor

Follow-Ups:
- RE: [security-services] NameID and the use of SPProvidedID
  - From: "Scott Cantor" <cantor.2@osu.edu>