Re: [saml-dev] Common fields/attributes in Auth Response and Assertion

[Vasu Y <vyal2k@yahoo.com>]

Thanks Scott.

In that case, for the common fields, is it enough if ones validates the field/attribute contained in Assertion? For instance, If i make sure that SubjectConfirmationData's InResponseTo matches AuthnRequest's ID and ignore (do not validate) Response's InResponseTo.

For a Web SSO Profile, what could be likely scenario when one of the common field's value be different (between Response & Assertion)?

Thanks,

Vasu

---

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Vasu Y <vyal2k@yahoo.com>; "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Sent: Monday, 7 April 2014 11:10 PM
Subject: Re: [saml-dev] Common fields/attributes in Auth Response and Assertion

On 4/7/14, 1:38 PM, "Vasu Y" <vyal2k@yahoo.com> wrote:

>What is the intent of some the fields like Destination, InResponseTo,
>Issuer, IssueInstant, Version being present in both the SAML
>authentication Response as well as in the contained Assertion (like
>Receipient, InResponseTo in bearer SubjectConfirmationData, Issuer in
>both the Response and Assertion)?

So that signing the assertion is sufficient to secure the profile.

>Will the values of these common fields be always same (between Response &
>Assertion) or can they be different sometimes? If for instance, what
>could be a likely case, when the value of Destination in Response and the
>value of Recipient in SubjectConfirmationData
> be different?

That depends on the profile.

-- Scott