名称标识符声明的目的是什么？ [英] What is the purpose of nameidentifier claim?

问题描述

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 类型的声明应用于什么？

What the claim of type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier should be used for?

这是主要问题，这里还有其他问题。

This is the main question, and here are additional ones.

与有何区别http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 声明？

对于特定内容，它是否永久存在？用户而不是名称声明？

Is it permanent for particular user as opposed to name claim?

是全局范围还是IdP范围？

Is it globally-scoped or IdP-scoped?

推荐答案

名称，就是那个名称。如果我们在说话，请考虑 Eric；服务器 file01。

Name, is just that a name. If we're talking person, think "Eric"; a server "file01".

A NameIdentifier 是对象的ID。回到我们的人员对象，您数据库中Eric的用户ID可能是435。对于服务器，标识符可以是FQDN或SID。

A NameIdentifier is the ID for an object. Turning back to our person object, Eric's UserID might be 435 in your database. For the server the Identifier could be something like a FQDN or a SID.

根据此帖子，显然是Name Identifier是SAML 1.1的属性，在SAML 2.0中已被 NameID 取代。

According to this post, apparently Name Identifier was a SAML 1.1 property, and is being supplanted by NameID in SAML 2.0.

我想回答@Jason的评论和@nzpcmad的帖子。我认为唯一性不是明确要求。该问题被标记为adfs2.0 但是引用的架构归OASIS所有。这就是我们需要权衡的两方解释。

I wanted to address @Jason's comment and @nzpcmad's post. I don't see uniqueness as a clear cut requirement. The question is tagged adfs2.0 but the schema referenced is owned by OASIS. So those are the two parties interpretations we need to balance.

微软对ADFS的立场显然是有一个独特的要求。我们在 索赔的作用一文中看到了这一点。毫无疑问，ADFS蒙上了一层阴影，但这似乎是一个实现细节。

Microsoft's stance for ADFS is clearly that there is a unique requirement. We see that in the "The Role of Claims" article. No doubt ADFS casts a big shadow, but this seems like an implementation detail.

查看 SAML 1.1规范，但是，我认为没有这样的主张。我们在规范的2.4.2.2节中得到的最接近的是：

Looking at the SAML 1.1 spec, however, I see no such assertion. The closest we get in section 2.4.2.2 of spec is:

该元素通过
名称的组合指定主题限定词，名称和格式。元素具有
以下属性：

...

NameQualifier [可选]
限定主题名称的安全性或管理域。此属性提供了一种
的方式，可以从不同的用户商店联合名称而不会发生冲突。

The element specifies a subject by a combination of a name qualifier, a name, and a format. The element has the following attributes:
...
NameQualifier[optional] The security or administrative domain that qualifies the name of the subject. This attribute provides a means to federate names from disparate user stores without collision.

规范文字告诉我，我需要能够使用这三个属性的组合来找到一个人，但是对于唯一性并没有断言。我不能有两个指向同一用户的条目吗？似乎是这样。此外，如果 NameIdentifier 不足以唯一地标识该标识符，则规范不会表明需要 NameQualifier 属性。名字？

The text of the spec tells me that I need to be able to find a person using a combination of the three attributes, but it makes no assertion as to uniqueness. Couldn't I have two entries that point to the same user? Seems so. Moreover, wouldn't' the spec indicate the NameQualifier attribute was required in cases where NameIdentifier was insufficient to uniquely identify the name?

那么，这一切会导致什么呢？

So what's this all lead to?

• 请注意，不安全可能更安全。


• 请深入研究您的提供商关于该主题的立场。

这篇关于名称标识符声明的目的是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！