[liberty-dev] Single sign-on and unique name identifiers

To “Liberty-Dev” <liberty-dev@emailprotection.org>
From “Wotk Rap” <WotkRap@TrustEngineering.co.uk>
Date Wed, 18 Sep 2002 18:57:42 +0100
Importance Normal
Reply-to liberty-dev@emailprotection.org
Sender liberty-dev-owner@emailprotection.org

On subsequent sign-ons, in which the IdP does not engage the user in any
authentication, I assume that the 'authenticated' status is derived from the
HTTP session which the IdP has established for the user first time through.
In other words, the SP sends an AuthnRequest to the IdP, the IdP sees the
authenticated state in the session and sends an AuthnResponse back to the

How does it know which pair of federated name identifiers to put into the
<saml:Subject> element of AuthnResponse?

The original authentication returned a pair which - as I understand
Liberty - is unique to that IdP-SP federation.  The
<IDPProvidedNameIdentifier> part of the pair is unique in each federation
pair.  So, on subsequent sign-ons although the IdP can see an authenticated
session, how does it know where to find the correct name identifier pair?

Or is the <IDPProvidedNameIdentifier> common across SPs?

Wotk Rap

Partial thread listing:

[liberty-dev] Single sign-on and unique name identifiers
(Wojtek Rappak)
 Li,Yan (09/19/2002)
 Wojtek Rappak (09/20/2002)
 Conor P. Cahill (09/25/2002)
[liberty-dev] Identity Provider enrollment?
(Wojtek Rappak)


Please enter your comment!
Please enter your name here