shibboleth-dev - Re: authentication authority
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: authentication authority
- Date: Mon, 10 Oct 2005 21:46:18 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EKQg9hZTvKtYgaBdTqL6lRw+LbBkcDbhig56UrDK+j2lj6Xra72Ap5Zf7mfF9O0W5/HAzFBDFz4L4hkkkL6zMLk49dcZWHwtG3ZCtZtrhDtYdSEk7WX0HcYxV4hCHavBaEPWW284CQEH18onF4GJ4aEYOX7AqG1JomlLoo/LOPE=
On 10/8/05, Scott Cantor
<>
wrote:
>
> If you're going to invent new profiles
> or protocols in SAML 1.1, I'd just reinvent NameID mapping from 2.0,
Hmm, I'm not so sure. NameIDMappingRequest is intended for use by SPs
that already possess a NameID for the principal in question, so the
old NameID must be included in the request. In other words, the Name
Identifier Mapping Protocol assumes an act of authentication has
already occurred. In our case, the act of authentication occurs at
the time of request.
> I wouldn't bother with authentication assertions that aren't being used
> for authentication.
Well, authn assertions have <saml:Conditions> elements, which we sorta
need in this case since the lifetime of the name identifier must match
the lifetime of the proxy cert. [SAML2Prof] encourages this, in fact:
Additional limits on the use of the resulting identifier MAY be applied
by the identity provider by returning the mapped name identifier in the
form of an <Assertion> containing the identifier in its <Subject> but
without any statements.
This is not possible in SAML 1.1, however, since the <saml:Subject>
element is tied up in the statement. Also, it's not at all clear how
the desired lifetime should be communicated to the IdP.
Tom
- Re: authentication authority, (continued)
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Von Welch, 10/07/2005
- RE: authentication authority, Scott Cantor, 10/07/2005
- Re: authentication authority, Chad La Joie, 10/07/2005
- Re: authentication authority, Von Welch, 10/09/2005
- Re: authentication authority, Von Welch, 10/07/2005
- Re: authentication authority, Tom Scavo, 10/08/2005
- Re: authentication authority, Scott Cantor, 10/08/2005
- Re: authentication authority, Tom Scavo, 10/10/2005
- RE: authentication authority, Scott Cantor, 10/10/2005
- Re: authentication authority, Tom Scavo, 10/12/2005
- RE: authentication authority, Scott Cantor, 10/13/2005
- Re: authentication authority, Tom Scavo, 10/13/2005
- Re: authentication authority, Scott Cantor, 10/13/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- Re: authentication authority, Brent Putman, 10/14/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- Re: authentication authority, Brent Putman, 10/14/2005
- Re: authentication authority, Tom Scavo, 10/14/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
Archive powered by MHonArc 2.6.16.