pitbulk
commented
11 months ago @Udachin Thanks for sharing this, I will need to research
I think my doubts came from this reference: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
3.4.1 Element
<saml:Subject> [Optional]
Specifies the requested subject of the resulting assertion(s). This may include one or more
<saml:SubjectConfirmation> elements to indicate how and/or by whom the resulting assertions
can be confirmed. For more information on this element, see Section 2.4.
If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the
requested subject. If no <saml:SubjectConfirmation> elements are included, then the presenter
is presumed to be the only attesting entity required and the method is implied by the profile of use
and/or the policies of the identity provider.And also for the fact that the XSD allows it http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
Udachin
AuthnRequest::__construct with provided $nameIdValueReq add SubjectConfirmation but according to the SAML documentation this element (SubjectConfirmation ) MUST NOT contain any elements.
Link to SAML documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
Quote from SAML documentation: