[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] How is the subject identified in an AuthnRequest by a SP in Web Browser SSO Profile?
> Question #1: How can this be? The SP doesn't know anything > about the subject. That's an assumption. The SP might have already logged the user in and is requesting a new assertion to refresh the session (see ReauthenticateOnOrAfter). Or the SP might be very low security and just cache the identity in a cookie, so when the user comes back it assumes the identity of the user and just wants fresh confirmation. > This is just the opposite of what I would expect. I would > expect the SP to send an AuthnRequest (via the browser) to > the IdP saying in effect: "please authenticate the bearer of > this authentication request." And isn't this expressed using > a <SubjectConfirmation> element: SubjectConfirmation pertains to the assertion you get back, not the request. In SSO, that is bearer, so there's nothing you need to specify. An AuthnRequest by definition is delivered by the entity who the issuer wants the IdP to authenticate. The bearer if you will. SubjectConfirmation has nothing to do with that. The IdP is responsible for determining what proof(s) it requires to issue an assertion with the requested (or in this case implied) SubjectConfirmation. > Question #2: Why wouldn't the subject be identified using > SubjectConfirmation as I've shown? Because it's implied by the profile and the protocol. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]