[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] NameID-less SAML Subject
> I understand that the SP's EntityID would be a logical candidate for > inclusion in the SubjectConfirmation. > What I meant was: Why, if the SubjectConfirmation is part of the Subject, do > we refer to a identifier in the SubjectConfirmation as an alternative to the > "subject" of the Assertion? Aren't we really trying to say "other than the > principal"? No, we're trying to say "other than the subject of the assertion" where subject is meant more conceptually. The thing/person/concept about which it was issued. > Also, note that in [SAMLCore] section 3.4.1.4 Processing Rules (for > AuthnRequest protocol), we have: > "The assertion(s) returned MUST contain a <saml:Subject> element that > represents the presenter. The identifier type and format are determined by > the identity provider." I guess you could argue it should say "the identifier type and format, if present, are determined..." > If the SP will be the intended presenter of the Assertion, I would think > that the SP's EntityID should go in the Subject, unless the principal's > NameID is in the Subject, in which case the SP's EntityID would have to go > in the SubjectConfirmation. Not at all. Two *very* different meanings. The subject of the assertion is reserved for the entity about which any statements in the assertion are true. That isn't likely to be the SP in most delegation/impersonation use cases. It's quite case-dependent whether the SP name belongs in one spot or the other, not interchangeable. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]