OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] NameID-less SAML Subject

At least for SAML 2.0, I believe one use case is for use within an 
AuthnRequest.   See SAML 2 core line 2017-2024.  The identifier (or 
entire Subject) can be omitted in which case the subject is presumed to 
be the presenter of the message.  You might have a Subject without the 
identifier if specific SubjectConfirmation is being requested in the 
resulting Assertion(s).  For example, the user wants an Assertion 
returned with holder of key subject confirmation method, with a specific 
key (possibly one of many that they own, presuming the IdP is willing, 
can associate that key with the user, etc).   Same goes for scoping down 
any of the possible subject confirmation data.


--Brent



Tom Scavo wrote:
> A SAML V1.1 Subject element may consist of a <SubjectConfirmation>
> element alone, without a <NameIdentifier> element:
>
> <complexType name="SubjectType">
>   <choice>
>     <sequence>
>       <element ref="saml:NameIdentifier"/>
>       <element ref="saml:SubjectConfirmation" minOccurs="0"/>
>     </sequence>
>     <element ref="saml:SubjectConfirmation"/>
>   </choice>
> </complexType>
>
> Similarly, a SAML V2.0 Subject element may consist of one or more
> <SubjectConfirmation> elements (again, without a name identifier):
>
> <complexType name="SubjectType">
>   <choice>
>     <sequence>
>       <choice>
>         <element ref="saml:BaseID"/>
>         <element ref="saml:NameID"/>
>         <element ref="saml:EncryptedID"/>
>       </choice>
>       <element ref="saml:SubjectConfirmation" minOccurs="0"
> maxOccurs="unbounded"/>
>     </sequence>
>     <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
>   </choice>
> </complexType>
>
> What is a use case for this type of SAML Subject?  Can someone give a
> real example of a SAML Subject without a name identifier?
>
> Thanks,
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]