[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: errata: alternate definition of strongly matches
In SAML V1.1, the definition of strongly matches seems to imply that the SubjectConfirmation elements of the two Subjects have the same "deep structure", which is overly restrictive. In SAML V2.0, on the other hand, the definition of strongly matches rests on a condition that is difficult (if not impossible) to test, namely, the actual confirmation process itself. For reference, see the following discussion: http://www.oasis-open.org/archives/saml-dev/200601/msg00010.html http://www.oasis-open.org/archives/saml-dev/200610/msg00001.html In lieu of the condition on lines 1954--1956 of SAMLCore, I will offer as errata to the SAML V2.0 definition of strongly matches the following alternate condition: If S2 includes a <saml:SubjectConfirmation> element, then S1 MUST include a corresponding <saml:SubjectConfirmation> element such that a) the values of the Method attributes of the two <saml:SubjectConfirmation> elements are equal, and b) if the <saml:SubjectConfirmation> element of S2 contains a <saml:BaseID>, <saml:NameID>, or <saml:EncryptedID> element, then the <saml:SubjectConfirmation> element of S1 MUST contain an identical <BaseID>, <NameID>, or <EncryptedID> element (resp.). This condition is testable at least. Comments? Tom Scavo NCSA/University of Illinois
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]