What's the meaning of SubjectConfirmation in OAuth2 SAML authorization grant?

Question

The OAuth2 SAML bearer spec describes how an application can present an assertion to a token endpoint as an authorization grant. For example, Salesforce's API allows this approach to enable apps to autonomously request access tokens for a user account (as long as the user has already given permission for this, out-of-band).

I'm having trouble making sense of what the assertion means, though. Most of it is clear enough, e.g.

• Issuer is the party that generated (and signed) the assertion
• Subject is the user for whose account an access token is being requested
• AudienceRestriction limits the audience to the token endpoint.

But I'm having trouble understanding the meaning of:

• AuthnStatement -- My understanding from the SAML spec is that the issuer of this assertion is making the statement that it (the issuer) has authenticated the subject. Is this right?

• SubjectConfirmation -- who is confirming what here? The SAML spec helpfully states that this element "Information that allows the subject to be confirmed". But what is confirmation? And who performs it, and how, and when, and for what purpose?

Answer 1

AuthnStatement element describes the act of authentication at the identity provider. If the Assertion issuer authenticated the subject, the Assertion SHOULD contain a single representing that authentication event.

Example:

    <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z">
            <AuthnContext>
              <AuthnContextClassRef>
    <!--Authentication method, was the client authenticated with digital cert, password, kerberos token?-->
                urn:oasis:names:tc:SAML:2.0:ac:classes:X509 

<!--For example, the Password class is applicable when a principal authenticates to an authentication authority through the presentation of a password over an unprotected HTTP session. -->
                urn:oasis:names:tc:SAML:2.0:ac:classes:Password

                urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

              </AuthnContextClassRef>
            </AuthnContext>
          </AuthnStatement>

SubjectConfirmation element allows the authorization server to confirm it as a Bearer Assertion. Such element MUST have a Method attribute with a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". The SubjectConfirmation element MUST contain a SubjectConfirmationData element (With exceptions) indicating the token endpoint URL of the authorization server. The authorization server MUST verify that the value of the Recipient attribute matches the token endpoint URL to which the Assertion was delivered.

Example:

     <saml:SubjectConfirmation
<!-- Mandatory -->
       Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
       <saml:SubjectConfirmationData 
<!-- The AuthRequest sent this ID -->
         InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
<!-- It was through HTTP POST token endpoint URL -->
         Recipient="https://sp.example.com/SAML2/SSO/POST"
<!-- Not valid ON or After this Date and Time -->
         NotOnOrAfter="2004-12-05T09:27:05"/>
     </saml:SubjectConfirmation>

Answer 2

Yes, the AuthnStatement is from the issuer of this assertion stating that it has authenticated the subject.

SubjectConfirmation tells how an entity that wants to rely on an assertion can confirm that the subject in question is the subject referenced in this assertion. Maybe the assertion is valid, but is it for the user making the request? If the method is bearer then any subject who can present this assertion to the endpoint referenced in Recipient before the date in NotOnOrAfter is confirmed. If the method is holder-of-key then only a subject who can prove possession of the key referenced by a nested KeyInfo element is confirmed.