When
adding an RP or FP, the IP must know what URI name values to expect to receive
in the AppliesTo element of an RST or the wtrealm parameter of a wsignout1.0
message (as defined in section 13).
There is no existing element to express this value. The TargetScopes element is proposed to address this gap.
Proposal:
Add a new section preceding the example document section 3.1.16.
3.1.xx TargetScopes Element
The [WS-Trust] protocol allows a token requester to indicate the target where
the issued token will be used (i.e., token scope) by using the optional element
wsp:AppliesTo in the RST message. To communicate the supported wsp:AppliesTo
(wtrealm values in passive requestor scenarios) for a realm, federated metadata
provides the <fed:TargetScopes> element to
indicate the EPRs that are associated with token scopes of the relying party or
STS. Note that an RP or STS MAY be capable of supporting other wsp:AppliesTo
values. This element populates the [Federation Metadata] property. This is
typically a service-level statement.
The schema for this optional element is shown below.
<fed:TargetScopes ...>
<wsa:EndpointReference>
...
</wsa:endpointReference> +
</fed:TargetScopes>
The
following example illustrates using this optional element to specify a logical
name of the federating organization as a token issuer.
<fed:TargetScopes >
<wsa:EndpointReference>
<wsa:Address> http://fabrikam.com/federation/corporate </wsa:Address>
</wsa:endpointReference>
</fed:TargetScopes >