Social2SAML gateway authentication assertion contents

Cantor, Scott cantor.2 at
Mon Nov 21 14:51:17 GMT 2011

On 11/21/11 9:01 AM, "Keith Hazelton" <hazelton at> wrote:
>Where should the social IdP and the gateway identity be carried in the
>SAML authentication assertion?  What are the alternatives and tradeoffs?

Proxied SAML authentication is covered by the core spec, and the
AuthenticatingAuthority element inside the AuthnContext is the apropriate
place to communicate proxied identity sources. The case of non-SAML IdPs
was explicitly covered.

There aren't any alternatives apart from extensions. Using attributes is
not really appropriate, because this is not information about the subject.

-- Scott

More information about the users mailing list