Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Multiple subjects in SAML 1.x statement?

Subject: OpenSAML user discussion

List archive

Re: Multiple subjects in SAML 1.x statement?


Chronological Thread 
  • From: "Tom Scavo" <>
  • To:
  • Subject: Re: Multiple subjects in SAML 1.x statement?
  • Date: Thu, 13 Dec 2007 14:15:30 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cKxqK4X+4a8FSESczaTatB8Ro/+6uD5LyLnIs8PYGRcjlYFV4KpFNSZCTDa1Ea/zp37uHgcAEA0W+zLcw9Nakcrxnv9nhWoTKbCUCEfsUqT2p0g8iiNvybqjWH66j/B3ngDslb7vRqzrEwFyeGR00GQ8nEofj3gn0Fs8ZMKG7BQ=
On Dec 13, 2007 1:43 PM, Scott Cantor
<>
wrote:
> > I am using the OpenSAML 1.1 Java version. According to SAML 1.x schema,
> the
> > message can contain multiple subjects in SAML statement. But in OpenSAML
> > API, I didn't see the ability to do it?
>
> The schema does not permit that. It permits multiple statements. None of the
> predefined statements permit multiple subjects.

That's true, but in the V1.1 schema the Subject element is a child
element of the statement so in effect a single assertion can refer to
multiple subjects.

> Nor does SAML 2 permit
> multiple subjects in an assertion.

In V2.0, the Subject element is a child element of the assertion so a
single assertion necessarily refers to a single subject. This is an
important difference between V1.1 and V2.0.

(Scott, I know you know these things, I'm simply stating them for
completeness.)

I've written a profile for SAML V1.1 assertions that anticipates this
and other differences between V1.1 and V2.0. We've implemented this
profile using OpenSAML 1.1. The implementation enforces the "one
subject" rule per assertion, for instance.

Tom

Archive powered by MHonArc 2.6.16.

Top of Page