I agree that the "subject" of an authorization action need not be a user -
and did not read the SAML definition to restrict in this way (the example
clause was illustrative not restrictive). Nonetheless, we should clear up
the definition so that there is no question that we can use attributes to
identify the subject rather than assuming that identity is the sole
determinant.
- joe