>> >>OK. >>So, we're telling people that they should confirm that the realm >>portion of the NAI is in the response or metadata for the IDP, but we >>have no way to express that name in either interoperably? >> >>That's possibly OK, but might need to be called out. > >Or define something, yes. There are reasons to think something's going to >be needed. Realm-based discovery seems likely to be the path forward in >other areas.
Having reflected on this some more, I'm now a bit ambivalent about the whole discussion in 5.3.2. The text is assuming a particular SAML deployment model (policy & configuration in signed and trusted metadata) that will be true of some deployments but not others (e.g., a SAML proxy infrastructure). I am pretty sure that rewriting this text for the general case would yield text amounting to "use technical methods to validate that names claimed by other SAML entities are true, to whatever standard constitutes true for you". This is implicit in the text in 5.3.1 for validating AAA names (where the "technical method" is whatever AAA technology you have elected to use), and so I am tempted to apply a similar model for the SAML case. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
