I didn't wade through this whole thread, but the comments about COI-scoped
identifiers lead me to note that this is the point I was making to begin
with.
You don't need a separate identifier for that, you just need a syntax that
expresses the "audience" for the identifier in the identifier, and in SAML
that's the SPNameQualifier, which is either the SP itself for a pairwise
ID, or the name of an "Affiliation" of SPs (a COI) if the identifier is
shared across them.
Of course if you prefer to use separate attributes, you can, but it will
be more awkward to express in SAML than just adopting a triplet syntax
that maps directly back to the SAML persistent NameID format that already
exists and that you're basically duplicating.
-- Scott
|