security-services message

Subject: Glossary issue with the term "Principal"

From: Rainer Hoerbe <rainer@hoerbe.at>
To: OASIS SSTC <security-services@lists.oasis-open.org>
Date: Thu, 14 Aug 2014 10:35:43 +0200

As I do not yet have a privilege to create issues in JIRA, I am sending this issue to the list.

SAML Glossay 2.0 defines the term Principal as "A system entity whose identity can be authenticated. [X.811]". Other definitions, however, contradict this in other definitions by using "principal" implicitly for non-system entities (aka. users), as in Account, Affiliation, IDP, Persistent Pseudonym, etc.
In addition this is not a correct citation of X.811, which says "An entity whose identity can be authenticated."

I suggest to fix this in 2.1 by clarifying the definition, e.g. with this wording:
"An entity whose identity can be authenticated and which can be the subject of a SAML assertion"

My rationale to raise this issue was, that an "UnknownPrincipal" exception should have revealed without using a debugger that the cause was a metadata misconfiguration, not a problem with the user's login account.

- Rainer

Follow-Ups:
- RE: [security-services] Glossary issue with the term "Principal"
  - From: Hal Lockhart <hal.lockhart@oracle.com>
- Re: [security-services] Glossary issue with the term "Principal"
  - From: "Cantor, Scott" <cantor.2@osu.edu>