[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] NameID-less SAML Subject
> > "If an assertion is issued for use by an entity other than > the subject, then that entity SHOULD be > > identified in the <SubjectConfirmation> element." > > > > What would "other than the subject" mean in the above? > > The SP. See section 3.3 in [SAMLProf] for an example. I understand that the SP's EntityID would be a logical candidate for inclusion in the SubjectConfirmation. What I meant was: Why, if the SubjectConfirmation is part of the Subject, do we refer to a identifier in the SubjectConfirmation as an alternative to the "subject" of the Assertion? Aren't we really trying to say "other than the principal"? Also, note that in [SAMLCore] section 3.4.1.4 Processing Rules (for AuthnRequest protocol), we have: "The assertion(s) returned MUST contain a <saml:Subject> element that represents the presenter. The identifier type and format are determined by the identity provider." If the SP will be the intended presenter of the Assertion, I would think that the SP's EntityID should go in the Subject, unless the principal's NameID is in the Subject, in which case the SP's EntityID would have to go in the SubjectConfirmation. ::Ari
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]