[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Need help understanding <SubjectConfirmation>
|
Hi Folks, Would you help me to understand the purpose of the SubjectConfirmation
element? Here a subject is being identified by his email address: <Subject> <NameID
Format="urn:oasis:names:tc:1.1:nameid-format:emailAddress">
j.doe@acompany.com </NameID> </Subject> Why isn’t this sufficient to identity the subject?
Here is an example that both (1) identifies a subject by his
email address, and (2) provides additional information about the subject using
SubjectConfirmation. <Subject> <NameID
Format="urn:oasis:names:tc:1.1:nameid-format:emailAddress">
j.doe@acompany.com </NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData
xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<ds:KeyName>John Doe's
Key</ds:KeyName>
</ds:KeyInfo>
</SubjectConfirmation>
</SubjectConfirmation> </Subject> Here’s what the spec says: “Subject confirmation takes place when a relying party
seeks to verify the relationship between an entity presenting the assertion
(that is, the attesting entity) and the subject of the assertion’s claims” Suppose that I am a SAML authority and I send you an
assertion containing the above <Subject> element. According to the
spec, the SubjectConfirmation will enable you to “verify the relationship
…” What relationship are you verifying? Are you verifying that
I (the SAML authority) really do know about this fellow John Doe? That
is, by me providing you some intimate knowledge about John Doe, I am demonstrating
that I really do know him. Thus, you are able to “confirm”
that I really do know this fellow John Doe, and you should accept any assertion
that I make about him. Is that what SubjectConfirmation is all about? /Roger |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]