List Home All Archives Dates Threads Authors Subjects
saml-dev - RE: [saml-dev] Subject confirmation. Message Thread: Previous | Next
  • To: "Scott Cantor" <cantor.2@xxxxxxx>
  • From: "Alistair Young" <alistair@xxxxxxxxxxxxx>
  • Date: Tue, 29 Nov 2005 23:23:15 -0000 (GMT)
  • Cc: saml-dev@xxxxxxxxxxxxxxxxxxxx
Send Email to
Send new message
Reply to this message
Thanks Scott, it's getting clearer.

> What profiles spec?

Under Holder of key it says:

"The holder of the key named "By-Tor" or the holder of the key named "Snow
Dog" can confirm itself as the subject".

That's why I thought "proxy" as whatever entity has one of those keys may
or may not "be" the subject (confirm itself as the subject).

So it seems that the SAML semantics are open to interpretation depending
on what profile is in use. They're context sensitive. By defining a new
profile you can redefine the semantics but within the global SAML core

Just out of interest, was there any legal input to the SAML specs?

> Realistically, the answer to any question you ask could be "anything" if
it doesn't violate explicit SAML core processing rules
I see what you mean now.


Alistair Young
Senior Software Engineer
UHI@Sabhal Mòr Ostaig
Isle of Skye

>> Reading the profiles spec seems to suggest that
>> SubjectConfirmation is a means to "proxy" the "real" Subject?
> What profiles spec? And no, it doesn't mean only that. It could mean that.
>> However, the asserting party can add additional information to the
>> assertion giving various third parties (attesting entities)
>> the right to "claim they are me"?
> If a profile defines that. No such profile currently exists. The language
> you're talking about is intended to *allow* a profile to do so. Nothing
> more
> or less.
>> i.e. in bearer in web sso:
>> "The bearer of the assertion [The Browser] can confirm itself as the
>> subject [Me]"
> Right, and web sso is a profile.
>> in holder of key, the asserting party is basically saying:
>> "anyone who holds the key or certificate identified in the
>> SubjectConfirmationData can claim to be Subject" - subject to
>> conditions of course.
> It means "associated" with the subject. Nothing more or less. Only the
> profile can define what "associated" means.
>> Does that mean that, say, SPa can sign something in the assertion ir got
>> from IdP before passing it on to SPb and SPb can use the certficate/key
>> in
>> SubjectConfirmationData to verify that SPa indeed has the key identified
>> in SubjectConfirmationData? If so, then SPb can assume that the
>> attesting
>> entity (SPa) has a relationship with the asserting party (IdP) via it's
>> key, which is identified in SubjectConfirmationData?
> A relationship, yes. You're jumping from that to being explicit about what
> the relationship is. Only a profile of use can do that.
> -- Scott

By Date: Previous | Next Current Thread By Thread: Previous | Next

  Mail converted by the most-excellent MHonArc 2.6.10