The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

SecurityDomain attribute on NameIdentifier tag in SAML 1.1

Hi All,

Looking through SAML 1.1 samples in the Internet I found that many of them use SecurityDomain attribute on NameIdentifier tag to specify URL of security domain. But this attribute is missing in SAML 1.1 XSD (probably I cannot find it ?).



    <saml:NameIdentifier Name="ED.TIM" SecurityDomain="" />


What is the origin of this attribute ? Is it valid to use it to specify security domain or it is implementation specific ? Thanks in advance.

Sergey Ponomarev.

It's illegal, and I have no idea where people got it. The NameIdentifier element isn't attribute extensible, nor is the new one in SAML 2.0.

The NameQualifier attribute is more or less the same idea, but in general that attribute is under-specified in SAML 1.1, and its use is discouraged for the Formats defined there. For new Formats, it's reasonable to profile the attribute to be something interoperable, but as it stands now, it's mostly harmful. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I