OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] ConfirmationData?

Folks,
 
this is an issue. We do not use confirmation data, nor do we check for it in
the artifact case.
 
Nowhere in the artifact browser profile description is there a requirement that
ConfirmationData be used. Indeed, one key requirement in developing the artifact
profile was that there be NO relationship between the artifact and the assertion itself. By placing
the artifact in the assertion (as conf data) this requirement is violated (however weakly).
 
The relationship between the artifact and the assertion is established via bilateral authentication
between source and destination sites. There is no other relationship required.
 
- prateek
 
-----Original Message-----
From: Charles Knouse [mailto:cknouse@oblix.com]
Sent: Friday, June 07, 2002 3:18 PM
To: Bhavna.Bhatnagar@Sun.COM; Philpott, Robert
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] ConfirmationData?

The Oblix SAML implementation also expects the artifact confirmation data.
 
-- Charles
-----Original Message-----
From: Bhavna Bhatnagar [mailto:Bhavna.Bhatnagar@Sun.COM]
Sent: Friday, June 07, 2002 12:16 PM
To: Philpott, Robert
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] ConfirmationData?

Yes, we at Sun need the SubjectConfirmaData to be the associated attifact string. The source site at our end checks  that the SubjectConformationData does
contain the artifact string sent out originally in the query to the destination's soap responder.

Bhavna
 

"Philpott, Robert" wrote:

The specs aren't really clear on this... Do folks expect to receive a ConfirmationData element containing the artifact as part of the SubjectConfirmation when using the Artifact-01 method? 

I've seen a sample assertion that did have it and one that didn't. 

I assume you would want it so the relying party could (if they so desire) verify the assertion statements are associated with a particular artifact-based request.

Thanks,

Rob Philpott

RSA Security Inc.

The Most Trusted Name in e-Security

Tel: 781-515-7115

Mobile617-510-0893

Fax: 781-515-7020

mailto:rphilpott@rsasecurity.com 

-- 
________________________________________________________________________ 
Bhavna Bhatnagar                                Sun Microsystems Inc.            
Identity Management group        __o
Tel: 408-276-3591              _`\<,_   
                              (*)/ (*)
 ________________________________________________________________________
 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC