Re: [saml-dev] Front-channel AttributeQuery Profile

[Tom Scavo <trscavo@gmail.com>]

2009/11/11 Scott Cantor <cantor.2@osu.edu>:
> Tom Scavo wrote on 2009-11-11:
>>> There's only one NameID in the Subject, so I'm not sure what case you're
>>> thinking of. He was suggesting that a request would have no NameID and
> the
>>> assertion would have one.
>>
>> The definition of "strongly matches" in Core allows that.
>
> I guess I'm not interpreting the text that way.

Then you're not interpreting it correctly.

> 3.3.4: If S2 includes an identifier element (<BaseID>, <NameID>, or
> <EncryptedID>), then S1 MUST include an identical identifier element.
>
> S1 and S2 are just arbitrary labels, and the matching property is reflexive.

No, it's not. I'm not sure how you're arriving at that conclusion.

> If one of them has an identifier, the other has to, or they don't match.

That's false, and this has been discussed at length within the SSTC.
In fact, there is a definition of *very strongly matches* that agrees
with your interpretation:

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml1-profiles-assertion-subject-cs-01.pdf

but it is not the definition given in Core.

Tom