saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: How is the subject identified in an AuthnRequest by a SP in Web Browser SSO Profile?
- From: "Costello, Roger L." <costello@mitre.org>
- To: <saml-dev@lists.oasis-open.org>
- Date: Mon, 22 May 2006 13:26:05 -0400
Hi
Folks,
Suppose that, using
a browser, a person accesses a Service Provider (SP). The SP sends an
AuthnRequest to an IdP. My two questions are with regards to identifying
the Subject in the AuthnRequest.
In Section 4.1.4.1,
para 4 of the Profiles specification it says:
"Note that the
service provider MAY include a <Subject> element in the request that names
the actual identity about which it wishes to receive an assertion."
Question #1: How can
this be? The SP doesn't know anything about the subject. The SP just sees
the HTTP header of the subject, which doesn't identify the subject.
All the SP knows is that "someone is knocking on his door". How can
the SP name the subject in the AuthnRequest as the above sentence
suggests?
In the next sentence
of the same para it says:
"This element MUST
NOT contain any <SubjectConfirmation> elements."
This is just the
opposite of what I would expect. I would expect the SP to send an
AuthnRequest (via the browser) to the IdP saying in effect: "please authenticate
the bearer of this authentication request." And isn't this expressed using
a <SubjectConfirmation> element:
<Subject>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</Subject>
Question #2: Why
wouldn't the subject be identified using SubjectConfirmation as I've
shown?
/Roger
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]