How is the subject identified in an AuthnRequest by a SP in Web Browser SSO Profile?

["Costello, Roger L." <costello@mitre.org>]

Hi Folks,

 

Suppose that, using a browser, a person accesses a Service Provider (SP).  The SP sends an AuthnRequest to an IdP.  My two questions are with regards to identifying the Subject in the AuthnRequest.

 

In Section 4.1.4.1, para 4 of the Profiles specification it says:

 

"Note that the service provider MAY include a <Subject> element in the request that names the actual identity about which it wishes to receive an assertion."

 

Question #1: How can this be? The SP doesn't know anything about the subject.  The SP just sees the HTTP header of the subject, which doesn't identify the subject.  All the SP knows is that "someone is knocking on his door".  How can the SP name the subject in the AuthnRequest as the above sentence suggests?

 

In the next sentence of the same para it says:

 

"This element MUST NOT contain any <SubjectConfirmation> elements."

 

This is just the opposite of what I would expect.  I would expect the SP to send an AuthnRequest (via the browser) to the IdP saying in effect: "please authenticate the bearer of this authentication request."  And isn't this expressed using a <SubjectConfirmation> element:

 

<Subject>

      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>

</Subject>

 

Question #2: Why wouldn't the subject be identified using SubjectConfirmation as I've shown?

 

/Roger