OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] NameID-less SAML Subject


On Thu, Feb 28, 2008 at 5:06 PM, Brent Putman <putmanb@georgetown.edu> wrote:
>  At least for SAML 2.0, I believe one use case is for use within an
>  AuthnRequest.   See SAML 2 core line 2017-2024.  The identifier (or
>  entire Subject) can be omitted in which case the subject is presumed to
>  be the presenter of the message.  You might have a Subject without the
>  identifier if specific SubjectConfirmation is being requested in the
>  resulting Assertion(s).

Ah, I missed that reference, thanks.  The Web SSO Profile precludes
this situation (section 4.1.4.1, lines 525--527) so I assume the
writer(s) of the Core spec had some other use case in mind.

What about the case where the presenter is not the subject but acting
on behalf of the subject?  In that case, can you think of an example
where the NameID is not required?

Suppose I want to query an IdP and identify the subject with an X.509
certificate (not merely a DN).  I'd be tempted to include the cert in
a SubjectConfirmation element but the semantics aren't quite right.
What is the correct way to do this?

Thanks,
Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]