OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML 1.1 POST Profile, SubjectConfirmation

Title: SAML 1.1 POST Profile, SubjectConfirmation
Hi all,

This is regarding SubjectConfirmation in the SAML 1.1 POST Binding.  I wonder if this has come up before, SAML 1.1 has been a standard for a long time.

The .xsd makes this SubjectConfirmation optional within a Subject, however, text in section of http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf says:

For POST binding the relevant requirement is in section

785 Every subject-based statement in the assertion(s) returned to the destination site MUST contain a
<saml:SubjectConfirmation> element. The <ConfirmationMethod> element in the
787 <SubjectConfirmation> MUST be set to urn:oasis:names:tc:SAML:1.0:cm:bearer.
It seems cut and dry that the SubjectConfirmation has to be there, despite the .xsd defining minOccurs=”0”.  But, we’ve an implementer with a different take an this.

Does the TC have a statement (or guidance) that explains the relationship of the .xsd to the Binding Specification?

Kent Spaulding
239 Kings Highway East | Haddonfield | New Jersey 08033 | USA
Mobile: +1 503 708 7116
| Office: +1 856 795 1722 | Fax: +1 856 795 1733


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]