Open Udachin opened 11 months ago
@Udachin Thanks for sharing this, I will need to research
I think my doubts came from this reference: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
3.4.1 Element
<saml:Subject> [Optional]
Specifies the requested subject of the resulting assertion(s). This may include one or more
<saml:SubjectConfirmation> elements to indicate how and/or by whom the resulting assertions
can be confirmed. For more information on this element, see Section 2.4.
If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the
requested subject. If no <saml:SubjectConfirmation> elements are included, then the presenter
is presumed to be the only attesting entity required and the method is implied by the profile of use
and/or the policies of the identity provider.
And also for the fact that the XSD allows it http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html
Specifies the requested subject of the resulting assertion
AuthnRequest is not resulting assertion
4.1.4.1 in http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf says only about Web Browser SSO Profile, so probably (not sure) in another profiles its allowed to use this tag and therefore it exists in xsd.
https://github.com/SAML-Toolkits/php-saml/blob/4.0.0/README.md
General description Implements the SAML 2.0 Web Browser SSO Profile
AuthnRequest::__construct with provided $nameIdValueReq add SubjectConfirmation but according to the SAML documentation this element (SubjectConfirmation ) MUST NOT contain any elements.
Link to SAML documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
Quote from SAML documentation: