Assertion level Subject

["Conor P. Cahill" <concahill@aol.com>]

I hate to break up the ongoing parlay about the LA specs with real
work, but.....

The current SAML spec, as I understand it, has a subject contained
within each statement, allowing for different subjects in different
statements.  While I have no problems with allowing for this,  I do
have a problem with requiring this, especially when, at least in our
case, all statements within an assertion will have the same subject. 
In fact, in every example that I have seen generated by others, the
subjects have been the same as well, so it isn't just me.

My issues with this are:

• Having multiple copies of the exact same data elements in different locations in a data structure is a bad design.  Especially when these elements contain identity critical data.
• It is wasteful of bytes (yes, XML is big, but there's no reason for us to make it even bigger).
• It requires duplicative processing at the consumption point (as the contents of the <Subject> get more complex, this becomes a significant issue -- for example, an encrypted identifier).
• In my experience, this creates resistance to adoption when a developer who is concerned about efficiency (which, IMHO, all should be to some extent) looks at this and sees something that doesn't make sense to them.  No jokes about seeing efficency and XML in the same email!
  

Note that I am NOT
objecting to the possiblity for there being different subjects.  I'm
sure there are reasonable use cases where that will come to be.  I am
just saying  that we should efficiently handle what I see as a common
use case.

So, I would like propose that we add an Assertion level <Subject>
that applies all statements without a statement level <Subject>. 

Barring such a solution, my next suggestion would be to add a Subject
reference mechanism so that a statement could refer to the
<Subject> in another statement (but this feels like a kludge to
me).

Conor