[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Change Notify - Multi-protocol Identifier Issue
| One of the early reasons I felt that modify operations needed to be in SAML was because of identifiers. ChangeNotify solves the issue of state control yet enabling change support within SAML (by converting an add/modify/delete to a simple AttributeQuery or AuthnRequest). Yet the nagging question remains. If one party wants to notify another of changes, but wants to allow the target to choose another protocol to propagate the change, how are differences in identifiers handled between protocols? In changeNotify the current proposal says that the notify message contains the SAML name identifier of the subject being changed only. I am going to propose the following background qualifiers to ChangeNotify 1. The Notify Issuer and Target likely have a pre-negotiated relationship. After all they've decided to share updates. 2. In any scenario, if the notify message occurs within SAML, then likely the action protocol will be SAML or ONE OTHER protocol. Though it may happen in some cases, 3 or more protocols wouldn't be likely. By far, the primary case would be for a single protocol - likely SAML. 3. In many cases, what protocol is preferred is probably already understood by administrators and may be a matter of policy. For example if more than 5 records, use SPML, otherwise use SAML. Conclusion: so while some negotiation is possible, it is not expected to be the primary use case. My proposal is that in addition to the SAML NameIdentifier being present in the message, that we include all identifiers for offered available action protocols. Here is one possible example way a message might be restructured: <samln:ChangeNotifyRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samln="urn:oasis:names:tc:SAML:2.0:notify" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <NewSubject> <Identifier protocol="urn:oasis:names:tc:SAML:2.0:notify:protocol:LDAPv3"> </Identifier> <Identifier protocol="urn:oasis:names:tc:SAML:2.0:notify:protocol:SamlAttributeQuery"> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=j.doe@uiuc.edu </saml:NameID> </Identifier> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> </saml:Attribute> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> </saml:Attribute> </NewSubject> <ActionProtocol protocol="urn:oasis:names:tc:SAML:2.0:notify:protocol:SamlAttributeQuery" issuerInitiated="false"/> <ActionProtocol protocol="urn:oasis:names:tc:SAML:2.0:notify:protocol:LDAPv3" issuerInitiated="false" /> </samln:ChangeNotifyRequest> Concerns: 1. Need a lighter way to specify identifiers in multiple protocols. Is there a way we could simply specify a URL equivalent mapping for each protocol identifier? E.g. OpenID URL, LDAP URL, SAML URL? 2. If necessary, we could drop actionProtocol in favour of record by record statements. IOW The presence of a protocol identifier indicates the object is available by that protocol. 3. ActionProtocol only required if an endpoint is needed (e.g. to indicate where LDAP service is available), or the issuer wants to indicate operations to begin after a certain time (actionAfter attribute). 4. Issuer initiated. Is this understood in advance. Is it useful inside the protocol? |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]