OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Front-channel AttributeQuery Profile

On 11. nov.2009, at 15:01, Josh Howlett wrote:

>> I'd like to exploit the possibility of implicitly referring 
>> to the current user (as things are front-channel), and 
>> therefore I am abit stucked because the AttributeQuery 
>> extends SubjectQueryAbstractType (if I remember correctly), 
>> wher a Subject MUST be included.
> IIRC, the response assertion must strongly match the requested subject as well.

Hi Josh! You're right, this is specified in core-3.3.4 - the Subjects MUST strongly match. That said, given the description in 3.3.4 two subjects may apparently strongly match even if a NameID is not included in one and is included in the other.

>> Would it be a good idea to omit the NameID, and use 
>> Subjectconf as sender-vouces or bearer... Something like 
>> this? Better ideas appreciated....
> How about defining a new NameID which takes no value, but whose presence in the request indicates that the SAML Issuer must return a statement within the assertion which takes a value that names the subject of the enveloping assertion. It's fairly ugly, but...

I'm not sure if I follow completely... But if you take a closer look at my example, it is a schema-valid request with a subject without NameID at all. And at the same time, I think, it may be considered to strongly match the subject included in the response.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]