Service Provider Scoping service-provoider-scoping

Overview overview

The default implementation of an Adobe Pass Authentication integration with an MVPD is based on the OLCA Specification. The Authentication Requirements section of the OLCA spec (6.5, Subject Identifier), states that it is possible to indicate the scoping of the Service Provider (SP) for the Subject identifier. (The subject identifier is the obfuscated User ID the MVPD returns to the SP.) In an Adobe Pass Authentication integration, it is required that MVPDs enable scoping of the SP Authentication requests.

With Adobe Pass Authentication taking on the role of SP for the Programmer, it is necessary to implement a customization that enables SP scoping of the Authentication request. This needs to be done so that the MVPD can identify the network brand passed in the SAML assertion to the MVPD’s Identity Provider (IdP). Scoping can be implemented in one of the two ways described in the next section.

Service Provider Scoping service-provider-scoping

Adobe Pass Authentication supports the following two ways to enable SP scoping of Authentication requests:

SAML Issuer Approach saml-issuer-approach

This approach uses the SAML <Issuer> element in the SAML Authentication request, as shown in this snippet:

...
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    http://saml.sp.adobe.adobe.com/on-behalf-of/requestorID
</saml:Issuer>
...

Custom Scoping Property Approach custom-scoping-property-approach

This approach uses a custom property named “Scoping”, as shown in this snippet of a SAML authentication request:

...
<samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:RequesterID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">requestorID</samlp:RequesterID>
</samlp:Scoping>
...