Bugzilla – Bug 4582
ConfirmationMethod of embedded SAML assertion
Last modified: 2008-04-25 21:11:53
You need to
before you can comment on or make changes to this bug.
The client that embeds a SAML assertion in an X.509 cert includes the following
This URI is incorrect (since it's an AuthenticationMethod URI). Instead it
should be a ConfirmationMethod URI (see section 5 of SAMLBind).
The following SubjectConfirmation element is recommended:
The only other reasonable choice is holder-of-key, but since the principal has
already proved possession of the key corresponding to the certificate, and
since the assertion is consumed and thrown away (i.e., not cached or
forwarded), bearer is good enough.
OK, next patch will contain change to bearer. Accompanying this will be a
change to the consuming PIP to consider other than bearer else invalid. Later
we can support others if needed.
Fix committed to trunk. Confirmation method has been changed in the createproxy
and the SAMLAuthnAssertionPIP will throw an error if any other confirmation
method is used.