|From||Jon Serg <serg@Sun.COM>|
|Date||Mon, 12 Aug 2002 16:54:25 -0700|
--On Monday, August 12, 2002 3:57 PM -0700 "Hubert A. Le Van Gong" <email@example.com> wrote:
I think the problem comes from the fact that we should have <IDPProvidedNameIdentifier> instead of <saml:NameIdentifier> in the SingleLogoutNotification element.It could also be <SPProvidedNameIdentifier> if the Registrer Name Identifier protocol was used prior to logout.
Note that logout can be initiated by either provider. Whose name identifier it is should be implicit in the relationship between the two entities. Using "IDPProvidedNameIdentifier" and "SPProvidedNameIdentifier" elements would only create more error cases the way I see it. The identifier used should be the one provided by the IDP, except for IDP initiated logout or federation termination when RegisterNameIdentifier has been used.
In the 1st case, there should not be any problem as it's the IdP itself which generated it: the SPs have to use the very same identifier, not a truncated version of it (the optional aspect is just at creation time IMHO): this is a direct consequence of lines 926-927 (Section 3.3).In the case where an <SPProvidedNameIdentifier> has been generated, the IdP should make sure it has a way to uniquely identify the user (e.g. association between the SP Id and the <SPProvidedNameIdentifier>).
There is nothing I can find that says the SP cannot omit the name qualifier and domain... SAML just says their use is implementation defined.
I had an actual interop problem due to another implementation which truncated it. This was not an IDP provided versus SP provided problem, which is a little tricky but is clearly defined in the section of the spec about register name identifier. In this case, we weren't using register name identifier at all. They agreed that they shouldn't have truncated it, but we couldn't find anything in the spec which explicitly required them not to. They have since fixed the problem. All I'm saying is that a clarification should be issued to state this more definitively in the spec to avoid the problem in the future.
Partial thread listing:
|Re: [liberty-dev] 2 items for clarification in protocols and schemas document, (continued)|
|Jonathan Sergent (08/12/2002)|
|AW: [liberty-dev] Developer Forum Question about SOAP wire protoc ols
|John D. Beatty (08/01/2002)|
|Developer Forum Question about SOAP wire protocols
|John D. Beatty (07/30/2002)|