RE: [saml-dev] Front-channel AttributeQuery Profile

["Scott Cantor" <cantor.2@osu.edu>]

Solberg Andreas Åkre wrote on 2009-11-11:
> Hi Josh! You're right, this is specified in core-3.3.4 - the Subjects MUST
> strongly match. That said, given the description in 3.3.4 two subjects may
> apparently strongly match even if a NameID is not included in one and is
> included in the other.

I'm not sure how you're getting that conclusion, but no, that's not the
case.

> I'm not sure if I follow completely... But if you take a closer look at my
> example, it is a schema-valid request with a subject without NameID at
all.

Schema validity is a subset of profile requirements.

> And at the same time, I think, it may be considered to strongly match the
> subject included in the response.

Only if there's no NameID in the assertion. Which is in fact probably what I
would suggest here anyway.

-- Scott