|From||“Wotk Rap” <WotkRap@TrustEngineering.co.uk>|
|Date||Wed, 18 Sep 2002 18:57:42 +0100|
On subsequent sign-ons, in which the IdP does not engage the user in any authentication, I assume that the 'authenticated' status is derived from the HTTP session which the IdP has established for the user first time through. In other words, the SP sends an AuthnRequest to the IdP, the IdP sees the authenticated state in the session and sends an AuthnResponse back to the SP. How does it know which pair of federated name identifiers to put into the <saml:Subject> element of AuthnResponse? The original authentication returned a pair which - as I understand Liberty - is unique to that IdP-SP federation. The <IDPProvidedNameIdentifier> part of the pair is unique in each federation pair. So, on subsequent sign-ons although the IdP can see an authenticated session, how does it know where to find the correct name identifier pair? Or is the <IDPProvidedNameIdentifier> common across SPs? Wotk Rap
Partial thread listing:
|[liberty-dev] Single sign-on and unique name identifiers
|Wojtek Rappak (09/20/2002)|
|Conor P. Cahill (09/25/2002)|
|[liberty-dev] Identity Provider enrollment?