OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: AuthnRequest usage - 'recognize' principal


Title: AuthnRequest usage - 'recognize' principal

I am trying to determine if our usage of Subject in the AuthnRequest might violate section 4.1.4.1 "<AuthnRequest> Usage" of the Web Browser SSO Profile, particularly lines 525-528 (in saml-profiles-2.0-os.pdf) which states:

In the case where we are acting as the identity provider, we were planning on accepting the Subject name (userid on Service Provider system) and just logging it for audit/debugging purposes. We don’t have any way to verify that the user is actually that user, but we do trust the contents of the AuthnRequest so if the Service Provider says thats the principal we believe them (its their user). Is that trust good enough to satisfy the word recognize above? Should we maybe also make it part of our interface that if Subject is present, we want the Subject SPNameQualifier to equal Issuer?

Thanks

michael lucas  |  Senior Software Developer  |  Great-West Life



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]