Re: [liberty-dev] 2 items for clarification in protocols and schemas document

To thedualdiagnosis
From Jon Serg <serg@Sun.COM>
Date Sun, 11 Aug 2002 21:23:31 -0700
In-reply-to <00ea01c241b4$16aab480$560210ac@vineet >
References < > <00ea01c241b4$16aab480$560210ac@vineet >

--On Monday, August 12, 2002 9:25 AM +0530 Vineet Arora <> wrote:

About the second questoion i am not very sure what the answer is like but
the answer to the first question according to my understanding is that the
sender will only include its own specified NameIdentifier for the
principal to the receiver that is during the maintaining of user mapping
each of the sender and receiver would have decided on NameIdentifier for
a principal at the IDP and the SP end .This NameIdentifier will be
included in the Logout Request.


That wasn't quite the question for #1. I was assuming that RegisterNameIdentifierRequest had not been used.

I was trying to get at this situation in #1...
- IDP returns AuthnResponse to SP, containg NameIdentifier:
<saml:NameIdentifier NameQualifier="foo" Format="bar">baz</saml:NameIdentifier>
- SP does not send RegisterNameIdentifier request (since it is optional).
- SP sends LogoutNotification to IDP, only sends <saml:NameIdentifier>baz</saml:NameIdentifier>, omitting the NameQualifier and Format attributes since they are marked as optional in the SAML specification. If the IDP relies on the name qualifier to disambiguate the value of the name field, it may not be able to find the user record as a result.

To me it makes the most sense to require the SP to include the same saml:NameIdentifier element without any changes or omissions to the attributes. But the spec does not explicitly define this; on protocols-schemas-v1.0 lines 811 and 863, it is only specified as "the name identifier of the Principal...".

Thus my question was really how others trying to implement the protocol spec had interpreted this (but I managed to not express that very well late on a Friday). I have run into at least one implementation that interpreted this differently than I did, and we couldn't interoperate as a result without a workaround.


----- Original Message -----
From: "Jon Serg" <sergent@Sun.COM>
To: <>
Sent: Saturday, August 10, 2002 4:30 AM
Subject: [liberty-dev] 2 items for clarification in protocols and schemas
Here are two things in the protocols and schemas document that recently
came up for us as potential interoperability problems:
(1) In the Single Logout protocol, the specification doesn't seem to
    explicitly say whether the sender needs to include the entire
    NameIdentifier that was sent in the Assertion (or possibly
    RegisterNameIdentifierRequest), or just the mandatory value.  The
    qualifier and format are optional.
    It seems to me that the sender should send back everything that was
    in the original name identifier from the assertion.  So, for
    example, if the IDP fills in all three fields in the name
    identifier in the assertion, the SP should send all three back at
    logout time, but if the IDP only fills in two of them, the SP
    should only send back those two and omit the third.  But it's
    possible that others who don't intend to use the optional fields
    might skip parsing and storing them entirely...

(2) The schema defines a lib:Assertion element that is not used anywhere.

    This is potentially misleading; it is possible that some may assume
    that the authentication statement should contain
        <lib:Assertion ...>...</lib:Assertion>
    instead of
        <saml:Assertion xsi:type="lib:AssertionType"


    leading to interoperability problems.  (My understanding is that only
    the second is legal inside the AuthenticationStatement.)
Has anyone else run into these problems?  How have others handled these
Jon Serg / serg@Sun.COM

Partial thread listing:

Re: [liberty-dev] 2 items for clarification in protocols and schemas document(continued)
 Jonathan Sergent (08/12/2002)
 Hubert A. Le Van Gong (08/12/2002)
 Jonathan Sergent (08/12/2002)
AW: [liberty-dev] Developer Forum Question about SOAP wire protoc ols
(Dittmann Werner)
 John D. Beatty (08/01/2002)


Please enter your comment!
Please enter your name here