Tom Scavo wrote:
> On 4/23/07, Ian Young <[log in to unmask]> wrote:
>> Alistair Young wrote:
>>
>> > So it's the value of NameIdentifier.
>>
>> It's the correspondence between that and the end user.
>
> There's an implicit assumption here that the NameIdentifier is unique
> per assertion.
No, the assumption in this particular case is that a particular
NameIdentifier value always refers to the same principal. From the user
accountability point of view, it wouldn't make a difference if you
reused NameIdentifiers as long as the same principal was referred to
each time.
Just for completeness, note that this is very likely to be true if
you're using any of the SAML 1.1 NameIdentifier formats (except,
arguably, "unspecified") as well as the Shibboleth opaque transient.
Not that you should normally reuse subject NameIdentifiers from a
privacy perspective; but that's outside the scope of Alistair's original
question.
-- Ian
|