|Date||Fri, 20 Sep 2002 10:53:46 +0900|
> On subsequent sign-ons, in which the IdP does not engage the user in any > authentication, I assume that the 'authenticated' status is derived from the > HTTP session which the IdP has established for the user first time through. > In other words, the SP sends an AuthnRequest to the IdP, the IdP sees the > authenticated state in the session and sends an AuthnResponse back to the > SP. > > How does it know which pair of federated name identifiers to put into the > <saml:Subject> element of AuthnResponse? > > The original authentication returned a pair which - as I understand > Liberty - is unique to that IdP-SP federation. The > <IDPProvidedNameIdentifier> part of the pair is unique in each federation > pair. So, on subsequent sign-ons although the IdP can see an authenticated > session, how does it know where to find the correct name identifier pair? In your implementation, if the federation information record in IdP holds the following fields : UserId, ProviderId(SP's ProviderId this case), IDPProvidedNameIdentifier,... (Key: UserId,ProviderId) You can obtain the ProviderId from the SP's AuthnRequest and the UserId from the IdP's authenticated session. So, you can search for the only IDPProvidedNameIdentifier from the federation information because the keys are decided. Li,Yan > > Or is the <IDPProvidedNameIdentifier> common across SPs? > > Wojtek Rappak >
Partial thread listing:
|Re: [liberty-dev] Single sign-on and unique name identifiers, (continued)|
|Wojtek Rappak (09/20/2002)|
|Conor P. Cahill (09/25/2002)|
|[liberty-dev] Identity Provider enrollment?
|Conor P. Cahill (09/16/2002)|