On 11/7/13, 11:27 AM, "Sam Hartman" <[email protected]> wrote: > >How exactly would one include a realm identifier in metadata? That is, >is there well defined way to name a realm in SAML?
No, not really. Historically we took some plains to not tie SAML entities to DNS domains because in a lot of cases what we were really doing was deciding whether to go along with the rest of the planet and conflate email address with identity. There are a bunch of things surrounding this notion that overlap with IdP discovery (which can be realm based, like in edugain, but is that really not just email address? And if not, do users understand the difference?) and with how you do filtering of attributes. At the end of the day, Shibboleth is the only implementation that really ever leveraged anything like a "Realm" and we called it "Scope" and defined a metadata extension for it that allows an IdP to have a many to one relationship with a set of Scopes. Which in practice are domains, though not by definition. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
