Re: [saml-dev] AuthnRequest usage - 'recognize' principal

["Cantor, Scott" <cantor.2@osu.edu>]

On 8/2/13 9:40 AM, "Lucas, Mike" <Mike.Lucas@gwl.ca> wrote:

>In the case where we are acting as the identity provider, we were
>planning on accepting the Subject name (userid onService Provider system)
>and just logging it for audit/debugging purposes. Wedon¹t have any way to
>verify that the user is actually that user, but wedo trust the contents
>of the AuthnRequest­ soif the Service Provider says that¹s the principal
>we believe them (it¹s
> their user).

No, it's your user too. If not, how could you be authenticating them?

As Conor said, if you don't have a way to map from the Subject to a
principal in your system, you MUST fail the request. And unless the SP has
a good reason for specifying Subject, it shouldn't do so.

You don't have to return the exact same Subject, just a Subject that
represents the same principal in your system, and that meets the requested
NameIDPolicy, if any.

The point of a Subject element there is to provide a round trip guarantee
about the user identity to match back to something the SP has determined,
and as a minimal sort of NameID Mapping capability during SSO.

The primary purpose of that element is not for Web SSO, it's for stand
alone token request use cases.

-- Scott