|From||Jon Serg <serg@Sun.COM>|
|Date||Sun, 11 Aug 2002 21:23:31 -0700|
|References||<200208092300.g79N0oBm021204@vernors.eng.sun.com > <00ea01c241b4$16aab480$560210ac@vineet >|
--On Monday, August 12, 2002 9:25 AM +0530 Vineet Arora <firstname.lastname@example.org> wrote:
About the second questoion i am not very sure what the answer is like but the answer to the first question according to my understanding is that the sender will only include its own specified NameIdentifier for the principal to the receiver that is during the maintaining of user mapping each of the sender and receiver would have decided on NameIdentifier for a principal at the IDP and the SP end .This NameIdentifier will be included in the Logout Request.
That wasn't quite the question for #1. I was assuming that RegisterNameIdentifierRequest had not been used.
I was trying to get at this situation in #1...
- IDP returns AuthnResponse to SP, containg NameIdentifier:
<saml:NameIdentifier NameQualifier="foo" Format="bar">baz</saml:NameIdentifier>
- SP does not send RegisterNameIdentifier request (since it is optional).
- SP sends LogoutNotification to IDP, only sends <saml:NameIdentifier>baz</saml:NameIdentifier>, omitting the NameQualifier and Format attributes since they are marked as optional in the SAML specification. If the IDP relies on the name qualifier to disambiguate the value of the name field, it may not be able to find the user record as a result.
To me it makes the most sense to require the SP to include the same saml:NameIdentifier element without any changes or omissions to the attributes. But the spec does not explicitly define this; on protocols-schemas-v1.0 lines 811 and 863, it is only specified as "the name identifier of the Principal...".
Thus my question was really how others trying to implement the protocol spec had interpreted this (but I managed to not express that very well late on a Friday). I have run into at least one implementation that interpreted this differently than I did, and we couldn't interoperate as a result without a workaround.
----- Original Message ----- From: "Jon Serg" <sergent@Sun.COM> To: <email@example.com> Sent: Saturday, August 10, 2002 4:30 AM Subject: [liberty-dev] 2 items for clarification in protocols and schemas documentHere are two things in the protocols and schemas document that recently came up for us as potential interoperability problems:(1) In the Single Logout protocol, the specification doesn't seem to explicitly say whether the sender needs to include the entire NameIdentifier that was sent in the Assertion (or possibly RegisterNameIdentifierRequest), or just the mandatory value. The qualifier and format are optional.It seems to me that the sender should send back everything that was in the original name identifier from the assertion. So, for example, if the IDP fills in all three fields in the name identifier in the assertion, the SP should send all three back at logout time, but if the IDP only fills in two of them, the SP should only send back those two and omit the third. But it's possible that others who don't intend to use the optional fields might skip parsing and storing them entirely...
(2) The schema defines a lib:Assertion element that is not used anywhere.This is potentially misleading; it is possible that some may assume that the authentication statement should contain <lib:Assertion ...>...</lib:Assertion> instead of <saml:Assertion xsi:type="lib:AssertionType"
...>...</saml:Assertion>leading to interoperability problems. (My understanding is that only the second is legal inside the AuthenticationStatement.)Has anyone else run into these problems? How have others handled these sections?
-- Jon Serg / serg@Sun.COM
Partial thread listing:
|Re: [liberty-dev] 2 items for clarification in protocols and schemas document, (continued)|
|Jonathan Sergent (08/12/2002)|
|Hubert A. Le Van Gong (08/12/2002)|
|Jonathan Sergent (08/12/2002)|
|AW: [liberty-dev] Developer Forum Question about SOAP wire protoc ols
|John D. Beatty (08/01/2002)|