OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] RE: Question about ConfirmationMethod in SSO

> In what instances are the <ConfirmationMethod> and 
> <SubjectConfirmationData> used? It would seem to me that it 
> would not be usable in a SSO environment, since the entire purpose of
> is to *not* pass that sort of information along. I'm assuming that 
> because of this, SAML can also be used as a local authentication
> as well? A spec I could use to log into a service with username and
> password?

Not currently. There is no provision in SAML 1.0 for pass-through
authentication, or for asking an Authentication Authority to
authenticate you. You can find some recent discussion on that on the
main SAML list. Authentication Assertions are documenting past acts of

And you are in fact correct, confirmation method is not really used in
that fashion with the SSO profiles. In the POST case for example, (the
one Shib uses) the method is set to a special "bearer" method URI that
indicates that the bearer of the assertion should be accepted as the
subject. That's because it's short-lived, and pushed through the

There is no real subsequent use of the field, and it's not there to
handle some kind of disconnected state or anything like that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC