Hi Andreas, Wouldn't your access token be exactly that, though: a common user identifier (between the 2 parties)?
As you know SAML's NameID doesn't (should not) reveal any info about the real user, it just represents a mapping. I guess you could create a federation on the fly and use the NameID Mapping profile to replace the NameID with the access token but I don't see the point in doing that. Sorry, I'm not sure I understand what you're trying to do. Hubert 2009/8/18 Solberg Andreas Åkre <andreassolb...@gmail.com>: > > I'm looking at ways to exchange attributes between SAML services that > does not share a common user identifier. I would prefer a simpler > solution than ID-WSF or similar. > > As you probably know, in SAML 2.0 there is a profile 'Assertion Query > Profile', which allows a requester to request a set of user attributes > from a service. It is not possible to use this profile unless the > request and the responder share an identifier representing the user. > If I use OAuth to establish a front-channel connection in advance, the > access token key may be used as the NameID in the AttributeQuery. > > My question is if anyone have already written a spec or draft > outlining NameIDFormat identifiers in example, to contain an OAuth > access token? > > Anyone that likes or dislikes the idea? > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---