[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AuthnRequest usage - 'recognize' principal
I am trying to determine if our usage of Subject in the AuthnRequest might violate section 4.1.4.1 "<AuthnRequest> Usage" of the Web Browser SSO Profile, particularly lines 525-528 (in saml-profiles-2.0-os.pdf) which states:
Note that the service provider MAY include a <Subject> element in the request that names the actual
identity about which it wishes to receive an assertion. This element MUST NOT contain any
<SubjectConfirmation> elements. If the identity provider does not recognize the principal as that
identity, then it MUST respond with a <Response> message containing an error status and no assertions.
In the case where we are acting as the identity provider, we were planning on accepting the Subject name (userid on Service Provider system) and just logging it for audit/debugging purposes. We don’t have any way to verify that the user is actually that user, but we do trust the contents of the AuthnRequest – so if the Service Provider says that’s the principal we believe them (it’s their user). Is that trust good enough to satisfy the word ‘recognize’ above? Should we maybe also make it part of our interface that if Subject is present, we want the Subject SPNameQualifier to equal Issuer?
Thanks
michael lucas | Senior Software Developer | Great-West Life
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]