RE: [saml-dev] NameID-less SAML Subject

["Ari Kermaier" <ari.kermaier@oracle.com>]

If an Assertion in the response to an AuthnRequest does not contain a NameID in the Subject, what is the meaning of the SubjectConfirmation, in the context of SSO profiles? The language in [SAMLCore] and in [SAMLProf], particularly as amended in the approved errata E47, speaks of the Subject as if it's the NameID:

"If an assertion is issued for use by an entity other than the subject, then that entity SHOULD be
identified in the <SubjectConfirmation> element."

What would "other than the subject" mean in the above?

::Ari

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Sunday, March 02, 2008 2:49 PM
> To: 'Tom Scavo'
> Cc: 'SAML Developers'
> Subject: RE: [saml-dev] NameID-less SAML Subject
> 
> 
> > Interesting perspective.  The IdP can't make this decision 
> on its own,
> > however, since the SP may require an identifier for account linking.
> 
> Which could be (and has been in many cases) an attribute. As 
> I always try
> and explain, such decisions have never been assumed to be 
> in-band and are
> simply part of deployments.
> 
> > I don't see where it does.  Where does it say in [SAMLBind] that a
> > <NameIdentifier> element is required?
> 
> I may be mistaken. Longstanding assumption on my part.
> 
> > Same here.  I don't see in [SAML2Prof] where the <NameID> element is
> > required?
> 
> It probably doesn't, most of that text was taken from SAML 
> 1.1 and just
> repurposed. If it's not in 1.1, it probably isn't in 2.0.
> 
> So, in effect, there's your answer...it's acceptable to not 
> include a NameID
> during SSO, ergo there's your use case. I'd better make sure 
> my code's fully
> handling that. ;-)
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
> 
>