List Home All Archives Dates Threads Authors Subjects
saml-dev - [no subject] Message Thread: Previous | Next
Send Email to saml-dev@lists.oasis-open.org:
Send new message
Reply to this message
-----Original Message-----
From: Conor P. Cahill [mailto:concahill@aol.com]=20
Sent: 09 November 2005 16:51
To: Sarno, Giuseppe [MOP:GM15:EXCH]
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Subject confirmation.




Giuseppe Sarno wrote on 11/9/2005, 11:10 AM:=20



The subjectconfirmation is data available sent to the SP by the
asserting party (IDP), so far so good.

That isn't how I would describe it.


Now the thing I don't understand is the following:=20

Is this data meant to let the SP determine that the Subject in the
assertion is actually the subject ? (sorry about the word game)

The Subject confirmation is essentially the steps that the sender must
go through to proove they are allowed to present the assertion to the
receiver.   In the case of Broswer based SSO, this will always be a
"bearer" confirmention (meaning that whoever can bear this token can
present it to the SP).  This is necessary since the browser isn't
capable of doing anything else.

Of course, when you get beyond a browser and into server to server
messsages, the sender can do things like prove that they hold a key
(holder-of-key confirmations) typically by signing something (usually
some portion of the message).  You can see more of how this is used in
the WS-Security SAML Token Profile specification.



Or is this data meant to let the SP to determine that the IDP that
issued the Assetion is associated with the Subject ?

It is not generally used for IdP->SP communications associated with SSO
since they are typically sent through a browser client (so the browser
is actually the entity sending the assertion to the SP after having
gotten it from the IdP).=20

Now I'm trying to understand what the SP is supposed to do.

In the browser based SSO model (where the SP comes into play), the
confirmation method is: "...:cm:bearer" since it is always a bearer
confirmation (See Section 4.1.1 of the SAML Profiles specification).

Conor



------_=_NextPart_001_01C5E5DE.EC627238
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1522" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>A bit=20
confused,</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>So=20
subject confirmation is not really a mean to confirm that the Subject is =
correct=20
(in a way).</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>But=20
then why assigning this data to the Subject =
mmmmhhh....</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>Also=20
there is a Subject element also within the Subject confirmation, what is =
this=20
for ?</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>So=20
I'll make an example to see whether I got the point:</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>I will=20
avoid talking about SP,and IDP.</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>-=20
PartyA (it might not be a browser)&nbsp;tries to access RelyingPartyA=20
(RPA).&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005></SPAN><SPAN =
class=3D473174409-10112005><FONT=20
face=3DArial color=3D#0000ff size=3D2>- PartyA queries (or ask for=20
auth)&nbsp;AssertingParty(AP) for an Assertion. </FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>(I'm=20
assuming in&nbsp;a generic case is not the RP to query the AP but it =
could be=20
the PartyA also to get hold of an assertion. Is this a correct=20
assumption?)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN><SPAN class=3D473174409-10112005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>- AP=20
generate an assertion.&nbsp;</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>Now=20
who should produce the&nbsp;confirmation ? AP or PartyA =
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>From=20
what I understood in theory they Both&nbsp;could&nbsp;provide a =
confirmation. Is=20
this right ? or only the producer can touch the assertion =
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =
size=3D2>Sorry=20
for the many question but honestly the spec is not very clear on=20
this.</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2>Giuseppe.</FONT>&nbsp;</SPAN><SPAN =
class=3D473174409-10112005><FONT=20
face=3DArial color=3D#0000ff=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN></DIV>
<DIV><SPAN class=3D473174409-10112005><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> =
Conor P. Cahill=20
  [mailto:concahill@aol.com] <BR><B>Sent:</B> 09 November 2005=20
  16:51<BR><B>To:</B> Sarno, Giuseppe [MOP:GM15:EXCH]<BR><B>Cc:</B>=20
  saml-dev@lists.oasis-open.org<BR><B>Subject:</B> Re: [saml-dev] =
Subject=20
  confirmation.<BR><BR></FONT></DIV><FONT face=3D"Comic Sans =
MS,sans-serif"><FONT=20
  size=3D2><BR><BR><SPAN type=3D"cite">Giuseppe Sarno wrote on =
11/9/2005, 11:10=20
  AM:</SPAN> </FONT></FONT>
  <P><FONT face=3D"Comic Sans MS,sans-serif" size=3D2></FONT></P>
  <BLOCKQUOTE=20
  style=3D"PADDING-LEFT: 10px; MARGIN-LEFT: 0pt; BORDER-LEFT: blue thin =
solid"=20
  type=3D"cite"><FONT face=3D"Comic Sans MS,sans-serif" =
size=3D2></FONT><!-- Converted from text/rtf format --><FONT=20
    face=3D"Comic Sans MS,sans-serif" size=3D2></FONT>
    <P><FONT face=3DArial size=3D2>The subjectconfirmation is data =
available sent to=20
    the SP by the asserting party (IDP), so far so=20
  good.</FONT></P></BLOCKQUOTE><FONT size=3D2><FONT=20
  face=3D"Comic Sans MS,sans-serif">That isn't how I would describe=20
  it.</FONT></FONT><BR>
  <BLOCKQUOTE=20
  style=3D"PADDING-LEFT: 10px; MARGIN-LEFT: 0pt; BORDER-LEFT: blue thin =
solid"=20
  type=3D"cite">
    <P><FONT face=3DArial size=3D2>Now the thing I don't understand is =
the=20
    following: </FONT><FONT face=3D"Comic Sans MS,sans-serif"=20
    size=3D2></FONT></P><FONT face=3D"Comic Sans MS,sans-serif" =
size=3D2></FONT>
    <P><FONT face=3DArial size=3D2>Is this data meant to let the SP =
determine that=20
    the Subject in the assertion is actually the subject ? (sorry about =
the word=20
    game)</FONT></P></BLOCKQUOTE><FONT size=3D2><FONT=20
  face=3D"Comic Sans MS,sans-serif">The Subject confirmation is =
essentially the=20
  steps that the sender must go through to proove they are allowed to =
present=20
  the assertion to the receiver.&nbsp;&nbsp; In the case of Broswer =
based SSO,=20
  this will always be a "bearer" confirmention (meaning that whoever can =
bear=20
  this token can present it to the SP).&nbsp; This is necessary since =
the=20
  browser isn't capable of doing anything else.<BR><BR>Of course, when =
you get=20
  beyond a browser and into server to server messsages, the sender can =
do things=20
  like prove that they hold a key (holder-of-key confirmations) =
typically by=20
  signing something (usually some portion of the message).&nbsp; You can =
see=20
  more of how this is used in the WS-Security SAML Token Profile=20
  specification.<BR></FONT></FONT><BR>
  <BLOCKQUOTE=20
  style=3D"PADDING-LEFT: 10px; MARGIN-LEFT: 0pt; BORDER-LEFT: blue thin =
solid"=20
  type=3D"cite"><FONT face=3D"Comic Sans MS,sans-serif" size=3D2></FONT>
    <P><FONT face=3DArial size=3D2>Or is this data meant to let the SP =
to determine=20
    that the IDP that issued the Assetion is associated with the Subject =

    ?</FONT></P></BLOCKQUOTE><FONT size=3D2><FONT face=3D"Comic Sans =
MS,sans-serif">It=20
  is not generally used for IdP-&gt;SP communications associated with =
SSO since=20
  they are typically sent through a browser client (so the browser is =
actually=20
  the entity sending the assertion to the SP after having gotten it from =
the=20
  IdP).</FONT></FONT>=20
  <BLOCKQUOTE=20
  style=3D"PADDING-LEFT: 10px; MARGIN-LEFT: 0pt; BORDER-LEFT: blue thin =
solid"=20
  type=3D"cite"><FONT face=3D"Comic Sans MS,sans-serif" size=3D2></FONT>
    <P><FONT face=3D"Comic Sans MS,sans-serif" size=3D2><SPAN =
lang=3Den-gb><FONT=20
    face=3DArialMT size=3D2>Now I'm trying to understand what the SP is =
supposed to=20
    do.</FONT></SPAN></FONT></P></BLOCKQUOTE><FONT size=3D2><FONT=20
  face=3D"Comic Sans MS,sans-serif">In the browser based SSO model =
(where the SP=20
  comes into play), the confirmation method is: "...:cm:bearer" since it =
is=20
  always a bearer confirmation (See Section 4.1.1 of the SAML Profiles=20
  =
specification).<BR><BR>Conor<BR></BLOCKQUOTE></FONT></FONT></BODY></HTML>=


------_=_NextPart_001_01C5E5DE.EC627238--

By Date: Previous | Next Current Thread By Thread: Previous | Next
  • [no subject], Unknown  (you are here)

  Mail converted by the most-excellent MHonArc 2.6.10