• Created by Unknown User (servaasschramaadmin) on Dec 01, 2023

The SubjectConfirmation exists in a Subject, and is used in two manners on Subjects:

  • To hold a 'bearer' confirmation in a response to an AuthnRequest, to conform to the WebSSO profile.
A <Subject> in an <Assertion> can contain two different types of <SubjectConfirmation> elements. Below is a description for each of these usages. Note that bearer confirmations MAY be applicable to a single Assertion.

SubjectConfirmation for bearer confirmation (WebSSO)

In case a relying party is requesting authentication of a user according to the SAML Web SSO profile, a 'bearer' SubjectConfirmation (see SAML 2.0 Profiles, §3.3 and §4.1.4).

Element/@Attribute

0..n

Description

<SubjectConfirmation>

0..1

(Only for the Declaration of Identity or a HM Summary Declaration to the DV)

Allows for association of client with assertion to conform to the SAML Web SSO profile.

  @Method1MUST contain the value 'urn:oasis:names:tc:SAML:2.0:cm:bearer'.
<SubjectConfirmationData>1
    @NotBefore0MUST NOT be used.
    @NotOnOrAfter1Indicates maximum validity of the assertion
    @Recipient1The assertion consumer Service index of the immediate requester to which an attesting entity can present the assertion
    @InResponseTo1The ID of the request this assertion is in response to
    @Address0MUST NOT be used.



Example SubjectConfirmation WebSSO 
...
    <saml:Subject>
        ...
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="_52B816C631C564BACF59E758CBA91717" NotOnOrAfter="2016-02-05T09:11:48Z" Recipient="https://..."/>
        </saml:SubjectConfirmation>
    </saml:Subject>
...




  • No labels