-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/is24 signservice scope in request #26
Feature/is24 signservice scope in request #26
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have requested some changes in my review comments.
</saml2p:Scoping> | ||
|
||
*Example when the `RequesterID` element is used to inform the Identity Provider about which Service Provider that the user authenticated at during the session when a signature process is executed.* | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proposed new text:
An Identity Provider can adapt user interfaces or authentication procedures to different Service Providers either based on static configuration or based on information found in the Service Provider's metadata. It can therefore be useful for the Identity Provider to know which Service Provider that requested the signature which caused the Signature Service to request authentication in order for the Identity Provider to maintain the same user experience and procedures regardless of whether authentication is requested directly by the Service Provider, or by a Signature Service as a result of a Sign Request from the same Service Provider.
It is RECOMMENDED that the <saml2p:Scoping>
element containing a <saml2p:RequesterID>
element holding the entityID of the Service Provider that generated the sign request, which is associated with this <saml2p:AuthnRequest>
message.
<saml2p:Scoping>
<saml2p:RequesterID>http://www.origsp.com/sp</saml2:RequesterID>
</saml2p:Scoping>
Example when the <saml2p:RequesterID>
element is used to inform the Identity Provider about which Service Provider that requested the signature associated with this request for authentication.
|
||
- Section 7.2, "Authentication Requests", was extended to recommend the usage of the `<saml2p:RequesterID>` element within `<saml2p:Scoping>`. The reason for this recommendation is that Identity Providers in some cases need | ||
to know about the Service Provider at which the user authenticated during the current session. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, don't refer to the fact that the Service provider authenticated the user. That is not relevant. In fact the SP may not have authenticated the user at all, it may simply have asked the user to select his/her IdP.
Refer to the fact that the SP requested the signature which is the cause of authenticating the user.
<saml2p:Scoping> | ||
<saml2p:RequesterID>http://www.origsp.com/sp</saml2:RequesterID> | ||
</saml2p:Scoping> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the same changes here.
Pull request for #24