The attribute query logic is currently leaving subject matching implicit and just trusting the IdP. No attacks are obvious here, even with the TLS prefix attack, but for correctness' sake, it should be enforced in the SP.
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3196
For now, defaulting the check to off, but turning on in the shipped config.
The attribute query logic is currently leaving subject matching implicit and just trusting the IdP. No attacks are obvious here, even with the TLS prefix attack, but for correctness' sake, it should be enforced in the SP.