Consequences of Permitting SAML NameID to Subject Mapping

Marvin Addison serac at
Fri Aug 10 08:19:41 EDT 2018

We have run into a problem with a relying party that is sending a requested
NameID in SAML AuthnRequests:

    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
nobody at</saml:NameID>

I'd never seen this before, and frankly didn't even know it was a supported
capability of the SAML 2 spec, but I was able to convince myself it made
sense on further consideration. Upon reviewing configuration and docs [1]
to enable support for it, the defaults were so conservative that I wanted
to make sure I understand the consequences. My intention is to allow
mapping SAML NameIDs to subjects for a relying party group that includes
SPs that are highly trusted (i.e. paying customers, legal contracts).
That's simply a more manageable way than explicitly listing SPs per the
default configuration template.

What's the risk of allowing this reverse lookup?

Marvin at Virginia Tech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list