2.2.1.6.1 SubjectConfirmation Element

The <SubjectConfirmation> element is specified in [SAMLCore] section 2.4.2.3 and [SAMLToken1.1] sections 3.5 (excluding subsections), 3.5.1 (excluding subsections), 3.5.1.1, and 3.5.1.2.

At least one SubjectConfirmation sub-element MUST be present in an <Assertion> element.

A <SubjectConfirmation> element MUST contain exactly one <KeyInfo> element, as specified in [XMLENC] section 5.4, which corresponds to the key used for the signature specified in section 2.2.1.7 corresponding to the SAML token.

The <SecurityTokenReference> child element of the <KeyInfo> element MUST be a key identifier reference with a ValueType attribute value of "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1". This document overrides the following specifications:

[SAMLToken1.1] section 3.5: Only the "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" subject confirmation method MUST be used.

The "<element name='OAEPparams' minOccurs='0' type='base64Binary'/>" element specified in [XMLENC] section 5.4.2 MUST NOT be used.