> >It's not enough that we claim that SAML entities names are true. >That's actually not addressed by my reading of 5.3.2.The tricky issue is >making sure that when SAML entities produce messages, they intend to >allow the AAA entities discussed in 5.3.1 to use those messages. >This is more of an issue of GSS-API channel binding than it is SAML >naming.
Yes, you're right. The current text conflates the two issues of the issuer authorising the presenter, versus the consumer identifying the issuer. I think the right way to do this is at the binding level using the response's Recipient attribute, which needs to name the NAS. If Scott agrees (and if my brain does not implode in the interim) I'll propose some text. I think we'll probably also want to extend the NAI Name Identifier Format to accommodate naming the NAS, and use this name form within the recipient attribute. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
