Consequences of Permitting SAML NameID to Subject Mapping

Marvin Addison serac at
Mon Aug 13 13:38:56 EDT 2018

On Fri, Aug 10, 2018 at 4:47 PM Cantor, Scott <cantor.2 at> wrote:

> > What's the risk of allowing this reverse lookup?
> Nothing really unless you allow Attribute Queries, then it provides direct
> access to whatever data is released to that SP based on that ID. You can
> think of it like a pseudo-token that effectively authorizes access to
> attributes about that subject.

Thank you for clarifying that, which is exactly what I was wondering. In
our particular case where we scope to trusted relying parties, that risk is

M <users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list