Hi all,
In SP initiated web SSO, when SAML authentication response is received at SP, the SP apart from other things validate the SAML assertion and creates session of the user at SP.
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="identifier_1" Recipient="
https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
If NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" then session at SP belongs to which user? because it is an opaque information in NameID. Also how authorization checks will be performed at SP as user is opaque in the assertion.