security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: SAML 1.1 POST Profile, SubjectConfirmation
- From: Kent Spaulding <kent.spaulding@skyworthttg.com>
- To: oasis sstc <security-services@lists.oasis-open.org>
- Date: Tue, 10 Nov 2009 12:42:17 -0500
Title: SAML 1.1 POST Profile, SubjectConfirmation
Hi all,
This is regarding SubjectConfirmation in the SAML 1.1 POST Binding. I wonder if this has come up before, SAML 1.1 has been a standard for a long time.
The .xsd makes this SubjectConfirmation optional within a Subject, however, text in section 4.1.2.5 of http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf says:
For POST binding the relevant requirement is in section 4.1.2.5:
785 Every subject-based statement in the assertion(s) returned to the destination site MUST contain a
786 <saml:SubjectConfirmation> element. The <ConfirmationMethod> element in the
787 <SubjectConfirmation> MUST be set to urn:oasis:names:tc:SAML:1.0:cm:bearer.
It seems cut and dry that the SubjectConfirmation has to be there, despite the .xsd defining minOccurs=”0”. But, we’ve an implementer with a different take an this.
Does the TC have a statement (or guidance) that explains the relationship of the .xsd to the Binding Specification?
Thanks,
--Kent
--
Kent Spaulding | CTO
239 Kings Highway East | Haddonfield | New Jersey 08033 | USA
Mobile: +1 503 708 7116 | Office: +1 856 795 1722 | Fax: +1 856 795 1733
<http://www.skyworthttg.com/>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]