OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] NameID-less SAML Subject

> I understand that the SP's EntityID would be a logical candidate for
> inclusion in the SubjectConfirmation.
> What I meant was: Why, if the SubjectConfirmation is part of the Subject,
> we refer to a identifier in the SubjectConfirmation as an alternative to
> "subject" of the Assertion? Aren't we really trying to say "other than the
> principal"?

No, we're trying to say "other than the subject of the assertion" where
subject is meant more conceptually. The thing/person/concept about which it
was issued.

> Also, note that in [SAMLCore] section Processing Rules (for
> AuthnRequest protocol), we have:
> "The assertion(s) returned MUST contain a <saml:Subject> element that
> represents the presenter. The identifier type and format are determined by
> the identity provider."

I guess you could argue it should say "the identifier type and format, if
present, are determined..."

> If the SP will be the intended presenter of the Assertion, I would think
> that the SP's EntityID should go in the Subject, unless the principal's
> NameID is in the Subject, in which case the SP's EntityID would have to go
> in the SubjectConfirmation.

Not at all. Two *very* different meanings. The subject of the assertion is
reserved for the entity about which any statements in the assertion are
true. That isn't likely to be the SP in most delegation/impersonation use
cases. It's quite case-dependent whether the SP name belongs in one spot or
the other, not interchangeable.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]