Re: [liberty-dev] Single sign-on and unique name identifiers

From “Li,Yan” <>
Date Fri, 20 Sep 2002 10:53:46 +0900
In-reply-to < >
References < >

> On subsequent sign-ons, in which the IdP does not engage the user in any
> authentication, I assume that the 'authenticated' status is derived from the
> HTTP session which the IdP has established for the user first time through.
> In other words, the SP sends an AuthnRequest to the IdP, the IdP sees the
> authenticated state in the session and sends an AuthnResponse back to the
> SP.
> How does it know which pair of federated name identifiers to put into the
> <saml:Subject> element of AuthnResponse?
> The original authentication returned a pair which - as I understand
> Liberty - is unique to that IdP-SP federation.  The
> <IDPProvidedNameIdentifier> part of the pair is unique in each federation
> pair.  So, on subsequent sign-ons although the IdP can see an authenticated
> session, how does it know where to find the correct name identifier pair?

In your implementation, if the federation information record in IdP holds
the following fields :
UserId, ProviderId(SP's ProviderId this case), IDPProvidedNameIdentifier,...
(Key: UserId,ProviderId)

You can obtain the ProviderId from the SP's AuthnRequest and the UserId
from the IdP's authenticated session. 

So, you can search for the only IDPProvidedNameIdentifier from the
federation information because the keys are decided.


> Or is the <IDPProvidedNameIdentifier> common across SPs?
> Wojtek Rappak

Partial thread listing:

Re: [liberty-dev] Single sign-on and unique name identifiers(continued)
 Li,Yan (09/19/2002)
 Wojtek Rappak (09/20/2002)
 Conor P. Cahill (09/25/2002)
[liberty-dev] Identity Provider enrollment?
(Wojtek Rappak)
 Conor P. Cahill (09/16/2002)


Please enter your comment!
Please enter your name here