[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Front-channel AttributeQuery Profile
2009/11/11 Scott Cantor <cantor.2@osu.edu>: > Tom Scavo wrote on 2009-11-11: >>> There's only one NameID in the Subject, so I'm not sure what case you're >>> thinking of. He was suggesting that a request would have no NameID and > the >>> assertion would have one. >> >> The definition of "strongly matches" in Core allows that. > > I guess I'm not interpreting the text that way. Then you're not interpreting it correctly. > 3.3.4: If S2 includes an identifier element (<BaseID>, <NameID>, or > <EncryptedID>), then S1 MUST include an identical identifier element. > > S1 and S2 are just arbitrary labels, and the matching property is reflexive. No, it's not. I'm not sure how you're arriving at that conclusion. > If one of them has an identifier, the other has to, or they don't match. That's false, and this has been discussed at length within the SSTC. In fact, there is a definition of *very strongly matches* that agrees with your interpretation: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml1-profiles-assertion-subject-cs-01.pdf but it is not the definition given in Core. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]