On 07/11/2013 17:22, Cantor, Scott wrote:
On 11/7/13, 11:27 AM, "Sam Hartman" <[email protected]> wrote:
How exactly would one include a realm identifier in metadata? That is,
is there well defined way to name a realm in SAML?
No, not really. Historically we took some plains to not tie SAML entities
to DNS domains because in a lot of cases what we were really doing was
deciding whether to go along with the rest of the planet and conflate
email address with identity.
There are a bunch of things surrounding this notion that overlap with IdP
discovery (which can be realm based, like in edugain, but is that really
not just email address? And if not, do users understand the difference?)
and with how you do filtering of attributes.
The attributes issue, of how the SP's required set is indicated to the
IDP(s) and to the user, and user consent and choice (if alternatives
exist) is a much bigger issue than the naming of realms. In fact I would
say they are orthogonal. It would be nice to address both in ABFAB
David
At the end of the day, Shibboleth is the only implementation that really
ever leveraged anything like a "Realm" and we called it "Scope" and
defined a metadata extension for it that allows an IdP to have a many to
one relationship with a set of Scopes. Which in practice are domains,
though not by definition.
-- Scott
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
