[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-dev
Subject:    RE: scope checking at the SP
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2016-05-01 16:14:40
Message-ID: 9846A6064BD102419D06814DD0D78DE1128E86C1 () CIO-TNC-D2MBX02 ! osuad ! osu ! edu
[Download RAW message or body]

> Does the SP "scope-check" values of SAML2 Persistent NameID (or
> eduPersonTargetedID)? That is, does the SP ensure the NameQualifier is
> equal to the Issuer? If so, can this be relaxed on a per-IdP basis?

It does in modern versions, it didn't always. The rule is enforced in the filter with \
a rule called saml:NameIDQualifierString.

> I searched for "NameQualifier" in the wiki and am led to believe the
> "scope-check" above was enabled by default in SP 2.4 but it appears to
> be all or none. If so, I'm not sure why the SP treats ePTID different
> than ePPN (e.g.). I know in the latter case, scope checking can be
> relaxed on a per-IdP basis (a needed feature for IdP Proxies, e.g.).

I don't know for certain it can be relaxed in either case. Maybe with an AND/OR that \
pulls in a check against the issuer? I guess that might work, but if so it should \
work for both.

-- Scott

-- 
To unsubscribe from this list send an email to dev-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]