Consequences of Permitting SAML NameID to Subject Mapping
Tom Scavo
trscavo at gmail.com
Fri Aug 10 20:12:19 EDT 2018
On Fri, Aug 10, 2018 at 4:47 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
> The purpose of that feature was to support "stand alone" use of an IdP to request a token with specific content for web services. That's not a real use case anymore because WS-* died, so it's mostly a historical feature now.
>
> People misuse it now to say "I think it's Bob, so maybe see if it's Bob", but the rules are that if it's not Bob, you have to fail the request. That's usually not what people want.
Another use case is: I already have an authentication context for Bob,
but please confirm it is Bob, and use this RequestedAuthnContext to do
so.
Tom
More information about the users
mailing list