Subject c14n on initial AuthnRequest

Cantor, Scott cantor.2 at
Tue Nov 17 18:04:48 UTC 2020

On 11/17/20, 12:56 PM, "users on behalf of Herron, Joel D" <users-bounces at on behalf of herronj at> wrote:

>    I have a vendor SP that is sending me a SAML Subject assertion on the initial AuthnRequest. I’ve never seen this before
> from a SP and we don’t have a flow setup to support this. Is this a common thing for an SP to do and should I enable 
> support for this? Currently, I’ve requested the vendor to support turning this feature off in their SP.


First one I ever ran into was a few weeks ago. I begged them to stop, but it didn't help and I had little choice, it was a fairly high profile case and they weren't exactly doing anything "wrong", so I couldn't say much.

It's not perfect because without custom code there are a lot of edge cases that still won't work. I have a bug open to add some case folding  support to the OOB flow so it's more palatable to live with it, and we're limping along and the vendor made some adjustments to lowercase the email addresses they were feeding me to limit the problems for now.

What they're doing is not what they think they're doing. The element in SAML is NOT a hint, and it's not meant for use during SSO, it was put there for other use cases.

-- Scott

More information about the users mailing list