Re: [liberty-dev] 2 items for clarification in protocols and schemas document


To liberty-dev@emailprotection.org
From Jon Serg <serg@Sun.COM>
Date Mon, 12 Aug 2002 16:54:25 -0700
In-reply-to <3D583D63.4070101@arch.sel.sony.com >
References <3D583D63.4070101@arch.sel.sony.com >
Reply-to liberty-dev@emailprotection.org
Sender liberty-dev-owner@emailprotection.org


--On Monday, August 12, 2002 3:57 PM -0700 "Hubert A. Le Van Gong" <lvg@arch.sel.sony.com> wrote:

I think the problem comes from the fact that we should have
<IDPProvidedNameIdentifier> instead of <saml:NameIdentifier>
in the SingleLogoutNotification element.
It could also be <SPProvidedNameIdentifier> if the Registrer
Name Identifier protocol was used prior to logout.


Note that logout can be initiated by either provider. Whose name identifier it is should be implicit in the relationship between the two entities. Using "IDPProvidedNameIdentifier" and "SPProvidedNameIdentifier" elements would only create more error cases the way I see it. The identifier used should be the one provided by the IDP, except for IDP initiated logout or federation termination when RegisterNameIdentifier has been used.

In the 1st case, there should not be any problem as it's the IdP
itself which generated it: the SPs have to use the very same
identifier, not a truncated version of it (the optional aspect
is just at creation time IMHO): this is a direct consequence
of lines 926-927 (Section 3.3).
In the case where an <SPProvidedNameIdentifier> has been
generated, the IdP should make sure it has a way to uniquely
identify the user (e.g. association between the SP Id and the
<SPProvidedNameIdentifier>).


There is nothing I can find that says the SP cannot omit the name qualifier and domain... SAML just says their use is implementation defined.

I had an actual interop problem due to another implementation which truncated it. This was not an IDP provided versus SP provided problem, which is a little tricky but is clearly defined in the section of the spec about register name identifier. In this case, we weren't using register name identifier at all. They agreed that they shouldn't have truncated it, but we couldn't find anything in the spec which explicitly required them not to. They have since fixed the problem. All I'm saying is that a clarification should be issued to state this more definitively in the spec to avoid the problem in the future.

--jss.


Partial thread listing:

08/12/2002
Re: [liberty-dev] 2 items for clarification in protocols and schemas document(continued)
 Jonathan Sergent (08/12/2002)
07/31/2002
AW: [liberty-dev] Developer Forum Question about SOAP wire protoc ols
(Dittmann Werner)
 John D. Beatty (08/01/2002)
07/29/2002
Developer Forum Question about SOAP wire protocols
(Dittmann Werner)
 John D. Beatty (07/30/2002)

LEAVE A REPLY

Please enter your comment!
Please enter your name here