[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: AuthenticatingAuthority usage
1) the AuthenticatingAuthority that references the "identity provider" -> is this the issuer of the SAML response, or the issuer of the assertion itself?
Looking at the errata version of the SAML profile spec, I think I have my answer now:
"If the <Response> message is signed orif an enclosed assertion is encrypted, then the <Issuer> element MUST be present. Otherwise it MAY be omitted. If present it MUST contain the unique identifier of the issuing identity provider;"
"It MUST contain at least one <Assertion>. Each assertion's <Issuer> element MUST contain the
unique identifier of the [E26]responding identity provider;"So a) I shouldn't use the Response's Issuer as it may be omitted and b) all the assertions within a SAML response should have the same unique identifier in their Issuer element, which is the *responding* identity provider (not the issuing as it was in the non-errata version of the spec).
However it's still a bit unclear what should happen with Assertions containing different AuthenticatingAuthority lists, but I guess that's more of an edge-case really...
Regards, Peter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]