step-up authentication

Cantor, Scott cantor.2 at osu.edu
Sun Oct 13 16:01:05 EDT 2013


On 10/13/13 3:33 PM, "Tom Scavo" <trscavo at gmail.com> wrote:

>Seems right to me, but you were present when the spec was
>written...what was the intended use case for a Subject in an
>AuthnRequest?

The primary use case was for identifying the subject in a stand-alone
token request flow. It's what makes the SAML protocol equivalent to
WS-Trust, the ability to explicitly tailor an assertion.

After the fact some of the vendors seemed to think it had relevance to SSO
and the language was crafted to just say that the resulting assertion had
to be about the same principal identified in the request.

>Yes, I think SAML Core is clear about this, which is why I was hoping
>to use the Shib SP. This causes me to ask a somewhat different
>question, however: If the script included a RelayState value in the
>request, could the SP be induced to leverage the RelayState value upon
>return to validate the response to contain a strongly matching
>subject?

All relay state controls is the final redirect.


You can implement authorization checks in many different places against
whatever comes back. I'm just saying it does have to be checked because
regardless of signing, the SP doesn't care what was in the request that
produced a response. As long as unsolicited continues to be a use case,
that can't ever change.

-- Scott




More information about the users mailing list