Multiple possible issuers
Hi,
Is it possible to request a certain claim, while giving the user a choice between multiple issuers? For example: a relying party needs your name, and it has to be certified by organisationA, organisation B or organisation C.
If it is possible, how does it look like in WS-SecurityPolicy? Can you just add multiple Issuer-tags?
<sp:Issuer>
<wsa:EndpointReference>
<wsa:Address>
http://schemas.microsoft.com/ws/2005/05/identity/issuer/self
</wsa:Address>
</wsa:EndpointReference>
</sp:Issuer>
thanks!
No, currently you can not specifiy mulitple issuers. We are currently evaluating this for V.next
However, you can opt to not specifiy the issuer, at which point the relying party could check that the security token is issued by a particular relying party by verifiying the public key.
As a matter of fact, we're recomending that you don't specify the issuer at all, simply list the claims, and verify the issuer's public key.
Thank you for the answer.
But one question about not specifying the issuer at all.
Isn't it more privacy friendly that this is specified? Otherwise, a user discloses information to the relying party. Only when the relying party has received this information, the user gets to know that he is not allowed access, since he is not subscribed with the right identity provider --> the relying party still knows the user's data.
Yes, you could construe that the user has the ability to send a token to the RP that they won't accept, for finer grained reasons than a lack of claims, but a lack of quality in the claims (or the source).
I think in the short run this won't be much of a problem, but I do beleive that we need that 'multiple issuer' solved in the long run.
Like I said, we're evaluating this for v.Next of CardSpace, and so by the time that this starts to be a significant issue, I hope that it will be solved.
Thanks,
