On 2/28/13 4:33 AM, "Josh Howlett" <[email protected]> wrote: > >>2. In section 2 for the last bullet point in the first list - should >>this be the subject of an assertion or the subject of a protocol >>message? I am >>always very unclear about SAML naming of items. However this >>confirmation >>method can be in both a SAML assertion and in a query (i.e. >>AttributeQuery). > >In SAML, only assertions and their requests have Subjects; framing PDUs do >not. I'll try to make this more obvious in that bullet.
Queries have subjects. I think the bullet's context would apply to both. >>10. In section 7.4.2 - I think we might need to make a statement about >>returning no subject identifier and the correct interaction with the >>AllowCreate attribute. If the IdP is not going to return a name, but is >>just returning a subject conformation that says - the user associated >>with >>this conversation - is this to be considered a "new identity" for the >>user? > >I need to think about this; I will propose a form of words. AllowCreate is an evil little gnome of a feature, but I think to address Jim's point, it only applies to identifiers, period. If there's no identifier asserted, it's irrelevant from a processing standpoint. >The conditions included by the RP in the request are (SAMLCore section >3.4.1) "intended as input to the process of constructing the assertion, >rather than as conditions on the use of the request itself". An assertion >that include these conditions can always be discarded by the RP, so I am >unclear what value the new sentence adds? I suppose it would be to limit the processing by the IdP if the RP knows it's going to throw away the result anyway. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
