RE: [security-services] NameID and the use of SPProvidedID

["Scott Cantor" <cantor.2@osu.edu>]

> I think the "problem" came in when moving from ID-FF (which had these
> as two separate elements rather than having the SPProvidedNameIdentifier
> as an attribute of the NameID) to SAML.

The difference I think was that ID-FF put the *IdP* half of the name in the
exrta element, so the main NameIdentifier ended up with the SP's version of
the name in some cases, but not in others. It was quite confusing to me,
that's why I altered it to consistently assign the data to the same places.

> So I think this requirement came out of an unintended consequence rather
> than someone consciously thinking about making this a requirement.

Actually the text Tom referenced came out of me attempting to avoid adding
more confusion by special-casing the rules based on who the sender was,
because that was what led to all kinds of confusion in ID-FF. I was actually
editing errata to ID-FF while writing that text.

But the *spirit* of the attribute is that the IdP should never need to care
about it other than including it in its own messages, which is consistent
with your point...it was about messages from IdP->SP much more than the
other way around.

> My gut is that we should fix this in the errata (if you can do that
> kind of change in errata) but I too don't feel all that 
> strongly about this.

Given the MUST, I would side with Tom that it does more harm than good to
try and get out of it now.

> I think it is probably more important that we have guidance that 
> implementations SHOULD use the IdP NameIdentifier where possible and
> SHOULD ONLY use the SPProvidedNameID when they can't configure their
> systems to use the IdP's NameID.

Strongly agree.

-- Scott