Subject c14n on initial AuthnRequest

Herron, Joel D herronj at
Tue Nov 17 18:21:06 UTC 2020

Thanks Scott,

I think we have the same vendor JumpForward. I assumed they were miss-appropriating that feature. They told me they would be putting the ability to drop it into a future sprint, for what that's worth.

If I wanted(forced) to support it were should I be looking  to do so.


On 11/17/20, 12:05 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:


    On 11/17/20, 12:56 PM, "users on behalf of Herron, Joel D" <users-bounces at on behalf of herronj at> wrote:

    >    I have a vendor SP that is sending me a SAML Subject assertion on the initial AuthnRequest. I’ve never seen this before
    > from a SP and we don’t have a flow setup to support this. Is this a common thing for an SP to do and should I enable 
    > support for this? Currently, I’ve requested the vendor to support turning this feature off in their SP.


    First one I ever ran into was a few weeks ago. I begged them to stop, but it didn't help and I had little choice, it was a fairly high profile case and they weren't exactly doing anything "wrong", so I couldn't say much.

    It's not perfect because without custom code there are a lot of edge cases that still won't work. I have a bug open to add some case folding  support to the OOB flow so it's more palatable to live with it, and we're limping along and the vendor made some adjustments to lowercase the email addresses they were feeding me to limit the problems for now.

    What they're doing is not what they think they're doing. The element in SAML is NOT a hint, and it's not meant for use during SSO, it was put there for other use cases.

    -- Scott

    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list