Re: [saml-dev] Subject confirmation.

["Conor P. Cahill" <concahill@aol.com>]

Giuseppe Sarno wrote on 11/9/2005, 11:10 AM:

The subjectconfirmation is data available sent to the SP by the asserting party (IDP), so far so good.

That isn't how I
would describe it.

Now the thing I don't understand is the following:

Is this data meant to let the SP determine that the Subject in the assertion is actually the subject ? (sorry about the word game)

The Subject
confirmation is essentially the steps that the sender must go through
to proove they are allowed to present the assertion to the receiver.  
In the case of Broswer based SSO, this will always be a "bearer"
confirmention (meaning that whoever can bear this token can present it
to the SP).  This is necessary since the browser isn't capable of doing
anything else.

Of course, when you get beyond a browser and into server to server
messsages, the sender can do things like prove that they hold a key
(holder-of-key confirmations) typically by signing something (usually
some portion of the message).  You can see more of how this is used in
the WS-Security SAML Token Profile specification.

Or is this data meant to let the SP to determine that the IDP that issued the Assetion is associated with the Subject ?

It is not
generally used for IdP->SP communications associated with SSO since
they are typically sent through a browser client (so the browser is
actually the entity sending the assertion to the SP after having gotten
it from the IdP).

Now I'm trying to understand what the SP is supposed to do.

In the browser
based SSO model (where the SP comes into play), the confirmation method
is: "...:cm:bearer" since it is always a bearer confirmation (See
Section 4.1.1 of the SAML Profiles specification).

Conor