Re: [saml-dev] clarification of AuthnRequest protocol

[Scott Cantor <cantor.2@osu.edu>]

Tom Scavo wrote:
> In section 3.4.1.4 of Core, it says "The resulting assertion(s) MUST
> contain a <saml:AudienceRestriction> element referencing the requester
> as an acceptable relying party."  What if the requester is in fact the
> requested subject, but beyond that the relying party is unspecified?
> What should the Audience value be in that case?

Well, I think the intent behind the text was to preclude issuing assertions 
using that protocol that don't identify a relying party unless there's some 
overriding signal to do so. As stated, the protocol doesn't permit issuing 
unconstrained assertions. However, that text is really kind of meant as a 
set of "default" behavior if there's nothing in the request (or one could 
argue, a profile) to dictate otherwise.

I think one could finesse around it easily enough by just spelling out what 
you want in a profile. Worst case, you short circuit that text by explicitly 
including an extension or something else that renders the "In the absence of 
any specific content at all" clause moot.

But I wouldn't be against an errata there myself, it reads a bit strongly to 
me. That text was kind of there as a placeholder to get around the fact that 
the only concrete profile we had for the protocol was Web SSO, and I didn't 
want core to be constrained by its rules.

-- Scott