[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] SAML for Webservices
Thanks for the feedback Scott, >This assumes the assertion comes with the message. The simple SAML model >is more about how you ask an authority to send you an assertion, so it >might presume that your service has authenticated the requester and then >it asks an Authz Authority for this assertion with a query, specifying >the resource and the authenticated user as the subject. With regards to your comment above, if the client sends a SOAP request to my WebService, then I could indeed authenticate him and make an AuthorizationDecisionQuery for the resource using the SAML request-response protocol. However, would it not be possible for the client himself to have made the AuthorizationDecisionQuery to the Authz Authority, and then send the Assertion inside the SOAP request? Is this a legitimate SAML scenario? In this case my service would not need to make any queries, so what exactly would it need to do?.......would the following be enough, or are there other steps that need to be taken? 1) Check the signature of the assertion (signed by the Authority) 2) Check that the signature comes from a trusted authority 3) Check that the "Resource" matches what the request is trying to access 4) Check the "Decision" of the Authority (i.e is it "Permit") 5) Check the validity of the "NotBefore" and "NotOnOrAfter" attributes of the "Conditions" element, if they are present Again, I would appreciate any feedback on this, Karl. Karl Nesbitt Ph.D. Vordel Web services security karl.nesbitt@vordel.com Ph: + 353 1 215 3316 Fax: + 353 1 215 3334 http://www.vordel.com Cranford Court Dublin 4 Ireland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC