Consequences of Permitting SAML NameID to Subject Mapping

Tom Scavo trscavo at
Fri Aug 10 20:12:19 EDT 2018

On Fri, Aug 10, 2018 at 4:47 PM Cantor, Scott <cantor.2 at> wrote:
> The purpose of that feature was to support "stand alone" use of an IdP to request a token with specific content for web services. That's not a real use case anymore because WS-* died, so it's mostly a historical feature now.
> People misuse it now to say "I think it's Bob, so maybe see if it's Bob", but the rules are that if it's not Bob, you have to fail the request. That's usually not what people want.

Another use case is: I already have an authentication context for Bob,
but please confirm it is Bob, and use this RequestedAuthnContext to do


More information about the users mailing list