On 5/23/14, 8:59 AM, "Sam Hartman" <[log in to unmask]> wrote:
>I'm still trying to understand how the SAML community got to desiring a
>tripple before I can make up my mind on preferences.
DNS domains have no intrinsic relationship to SAML entities, and the
scoping qualifiers attached to a persistent ID are the entity names
involved, or in the case of an affiliation of SPs, the affiliation ID.
That all dates back to before SAML existed, to Liberty.
It's also not a triple, it's an XML element with three primary attributes
(aside from Format) and a value. Using a triplet syntax is a pickling
convenience, it's not the actual normative value.
And again, as I said, the reason for naming the SP explicitly (which your
proposal does not do) is to allow for complex flows in which IDs go to
parties *not* named in the qualifiers. The pairwise nature of an ID is
about scoping and uniqueness, not about policy. Nothing intrinsic prevents
a pairwise ID from being communicated to a party not a member of the pair,
that's a matter of policy and the use case.
-- Scott
|