send Subject in SAML login flow
Cantor, Scott
cantor.2 at osu.edu
Fri Jan 14 14:24:37 UTC 2022
On 1/14/22, 6:04 AM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at shibboleth.net on behalf of ignacio.amoeiro at extern.ibsalut.es> wrote:
> For this we want to use the SAML login flow, but we want to know if posible to add in the AuthRequest the
> already authenticated subject in the authn/Password Flow. So they don't need to ask again for the UserID. Is
> this achievable?
There is no support for populating the Subject element in a request. Technically that is close to the semantic that the element has in SAML, but it isn't used properly by any SAML IdPs other than Shibboleth so we do not facilitate the misuse of the standard by sending it. If we identified a situation where it wouldn't be misused we might consider it.
My impression is that the majority of solutions relying on SAML proxying for MFA do it by handling all of the factors, not just one of them. You offload authentication to them in total.
-- Scott
More information about the users
mailing list