OpenSAML user discussion

["Scott Cantor" <>]

> That's true, but in the V1.1 schema the Subject element is a child
> element of the statement so in effect a single assertion can refer to
> multiple subjects.

This is structurally true but pragmatically "frowned on", not only because
it doesn't work in SAML 2, but because nobody came up with a use case for it
that didn't just involve sending different identifiers for the same person.
So, I wouldn't do it.

> I've written a profile for SAML V1.1 assertions that anticipates this
> and other differences between V1.1 and V2.0.  We've implemented this
> profile using OpenSAML 1.1.  The implementation enforces the "one
> subject" rule per assertion, for instance.

Yes, my general opinion is that using SAML 1.1 to do something you can't do
in SAML 2.0 would be a bad idea.

Have you thought about tossing that profile over the wall to OASIS?

-- Scott