> IdPs need to log which
> identifier is used
that's subtly different from what is said in the T&C. They have to log the
values. What the tokens are, that seems to be agreed between IdP and SP up
front, presumably by a couple of humans.
>> no
>> SAML V1.1 NameIdentifier format has this uniqueness property
If the NameIdentifier is not unique other info is required from the SP,
e.g. the issueInstant perhaps? So an SP has to know up front whether an
IdP is going to reuse NameIdentifiers. So the SP has to know what to log.
itself.
So the token(s) used to resurrect a user session are specific to a
particular IdP/SP contract?
Alistair
--
mov eax,1
mov ebx,0
int 80h
> Nothing in this discussion makes that assumption.
>
> The only thing that's been said is that IdPs need to log which
> identifier is used for which user so that SPs, if they need to track it
> back, can do so in collaboration with the IdP.
>
> Tom Scavo wrote:
>> On 4/23/07, Ian Young <[log in to unmask]> wrote:
>>> Alistair Young wrote:
>>>
>>> > So it's the value of NameIdentifier.
>>>
>>> It's the correspondence between that and the end user.
>>
>> There's an implicit assumption here that the NameIdentifier is unique
>> per assertion. This is mostly true in Shibboleth deployments today,
>> but Shibboleth supports other types of NameIdentifiers, and indeed no
>> SAML V1.1 NameIdentifier format has this uniqueness property. So
>> NameIdentifier by itself is not sufficient in general to identify a
>> particular transaction.
>>
>> Tom
>
> --
> Chad La Joie 2052-C Harris Bldg
> OIS-Middleware 202.687.0124
>
|