OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] How is the subject identified in an AuthnRequest by a SP in Web Browser SSO Profile?

> Question #1: How can this be? The SP doesn't know anything 
> about the subject.

That's an assumption. The SP might have already logged the user in and is
requesting a new assertion to refresh the session (see
ReauthenticateOnOrAfter). Or the SP might be very low security and just
cache the identity in a cookie, so when the user comes back it assumes the
identity of the user and just wants fresh confirmation.

> This is just the opposite of what I would expect.  I would 
> expect the SP to send an AuthnRequest (via the browser) to 
> the IdP saying in effect: "please authenticate the bearer of 
> this authentication request."  And isn't this expressed using 
> a <SubjectConfirmation> element:

SubjectConfirmation pertains to the assertion you get back, not the request.
In SSO, that is bearer, so there's nothing you need to specify.

An AuthnRequest by definition is delivered by the entity who the issuer
wants the IdP to authenticate. The bearer if you will. SubjectConfirmation
has nothing to do with that. The IdP is responsible for determining what
proof(s) it requires to issue an assertion with the requested (or in this
case implied) SubjectConfirmation.

> Question #2: Why wouldn't the subject be identified using 
> SubjectConfirmation as I've shown?

Because it's implied by the profile and the protocol.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]