>>>>> "Cantor," == Cantor, Scott <[log in to unmask]> writes:
Cantor,> I didn't wade through this whole thread, but the comments
Cantor,> about COI-scoped identifiers lead me to note that this is
Cantor,> the point I was making to begin with.
Cantor,> You don't need a separate identifier for that, you just
Cantor,> need a syntax that expresses the "audience" for the
Cantor,> identifier in the identifier, and in SAML that's the
Cantor,> SPNameQualifier, which is either the SP itself for a
Cantor,> pairwise ID, or the name of an "Affiliation" of SPs (a COI)
Cantor,> if the identifier is shared across them.
Cantor,> Of course if you prefer to use separate attributes, you
Cantor,> can, but it will be more awkward to express in SAML than
Cantor,> just adopting a triplet syntax that maps directly back to
Cantor,> the SAML persistent NameID format that already exists and
Cantor,> that you're basically duplicating.
I think for RADIUS, separate attributes will fit their model better.
But this is something to consider.
|