send Subject in SAML login flow

Ignacio Amoeiro Bosch ignacio.amoeiro at
Fri Jan 14 17:07:09 UTC 2022

Thanks for response, Scott


-----Mensaje original-----
De: users <users-bounces at> En nombre de Cantor, Scott
Enviado el: viernes, 14 de enero de 2022 15:25
Para: Shib Users <users at>
Asunto: DMARC ErrorRe: send Subject in SAML login flow

On 1/14/22, 6:04 AM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at on behalf of ignacio.amoeiro at> wrote:

>    For this we want to use the SAML login flow, but we want to know if 
> posible to add in the AuthRequest  the already authenticated subject 
> in the authn/Password Flow. So they don't need to ask again for the UserID. Is this achievable?

There is no support for populating the Subject element in a request. Technically that is close to the semantic that the element has in SAML, but it isn't used properly by any SAML IdPs other than Shibboleth so we do not facilitate the misuse of the standard by sending it. If we identified a situation where it wouldn't be misused we might consider it.

My impression is that the majority of solutions relying on SAML proxying for MFA do it by handling all of the factors, not just one of them. You offload authentication to them in total.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list