Geek Answers Handbook

What is meant by SubjectConfirmation permission in SAML OAuth2 permission?

The OAuth2 description of the SAML media describes how an application can present an approval to a token endpoint as an authorization permission. For example, the Salesforce API allows this approach to allow applications to autonomously request access tokens for a user account (if the user has already given permission for this, outside of -BAND).

I'm having trouble understanding what a statement means. Most of this is clear enough, for example.

  • Issuer is the party that generated (and signed) the statement
  • Subject - the user whose account is requesting an access token.
  • AudienceRestriction limits the audience to the endpoint of the marker.

But it’s hard for me to understand the meaning:

  • AuthnStatement - My understanding from the SAML specification is that the issuer of this statement expresses that it (the issuer) has authenticated the entity. Is it correct?

  • SubjectConfirmation - who confirms that here? The SAML spectrum helps to claim that this element is "Information to validate the object." But what is confirmation? And who does this, and how, and when and for what purpose?

+6
source share
2 answers
Element

AuthnStatement describes the authentication action in the identity provider. If the proxy authorized the entity, the statement MUST contain one representing this authentication event.

Example:

  <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z"> <AuthnContext> <AuthnContextClassRef> <!--Authentication method, was the client authenticated with digital cert, password, kerberos token?--> urn:oasis:names:tc:SAML:2.0:ac:classes:X509 <!--For example, the Password class is applicable when a principal authenticates to an authentication authority through the presentation of a password over an unprotected HTTP session. --> urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos </AuthnContextClassRef> </AuthnContext> </AuthnStatement>
Element

SubjectConfirmation allows the authorization server to confirm it as a bearer confirmation. Such an element MUST have a Method attribute with the value "urn: oasis: names: tc: SAML: 2.0: cm: bearer". The SubjectConfirmation element MUST contain a SubjectConfirmationData element (with exceptions) that specifies the URL of the authorization server token endpoint. The authorization server MUST confirm that the value of the recipient attribute matches the URL of the endpoint of the token to which the claim was sent.

Example:

  <saml:SubjectConfirmation> <!-- Mandatory --> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData> <!-- The AuthRequest sent this ID --> InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" <!-- It was through HTTP POTS token endpoint URL --> Recipient="https://sp.example.com/SAML2/SSO/POST" <!-- Not valid ON or After this Date--> NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation>
+3
source

Yes, AuthnStatement belongs to the issuer of this statement, which says that it has authenticated the topic.

SubjectConfirmation indicates how the subject who wants to rely on the statement can confirm that the subject referred to in this question is the object referenced in that statement. Maybe the statement is valid, but is this for the user making the request? If the method is a carrier, then any entity who can submit this statement to the endpoint specified in the Recipient before confirming the date in NotOnOrAfter . If the method is a key holder, only the subject is confirmed, which can prove ownership of the key referenced by the nested KeyInfo element.

0
source

More articles:


All Articles