OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] SAML, trust and WS.


i am new to SAML and WS-Security too. i also found it very  
confusing trying to make sense of it all. it wasn't until i 
realized that a lot of my confusion came from all of the different 
 contexts in which SAML Assertions are used.

I think of authentication statements in general as being a claim 
made about a subject; an authentication statement in general 
effectively says something along the lines of:

"this is a claim that the subject associated with this assertion
has been authenticated at such-and-such a time, using
such-and-such an authentication method...".

     > Where the user gets the Assertion from ? IDP ?

if you're talking about ws-security in context of the full ws-*
stack (ws-trust, ws-federation, etc.) then assertions are 
provided
by a "Security Token Service (STS)"; which is analogous to an IdP
(Identity Provider). IdPs are from the SAML 2/Liberty Alliance
context; "Asserting Party" is the same thing but from the SAML 
1.x
context.

> ...The Service somehow will have to trust the Asserting party 
> even though in different trust domains ?


the claims made by an authentication statement still have to be 
proven somehow. my understanding of it is that digital signatures 
and encryption are ways to prove whether or not the claims made by 
an authentication statement are true or not. i would say that is 
where the trust comes from on the technical/implementation level. 
also, before the system in question is implemented, there has to 
be some sort of business agreement between the owners of the 
different domains involved that specifies explicitly how trust 
will be established between them.


i hope this doesn't confuse you even more. also, if i am totally
off the mark, then i would be grateful if anybody in the forum 
would set me straight.


On Mon Dec 05 03:23:37 PST 2005, Giuseppe Sarno 
<gsarno@nortel.com> wrote:

> Hi,
> moving on Web service investigation and security I came across at 
> the
> SAML token profile.
> If I understood it right this Token is used as part of a 
> WS-security
> message to authenticate (and possibly authorize) a user.
> 
> The use case I have seen is the following: UserA gets a SAML 
> assertion (related to himself). Then includes the Assertion as a 
> Token in the WS-se message to the
> Service A
> 
> The things are not fully clear are the following:
> 
> Where the user gets the Assertion from ? IDP ?  In the federated
> example/SSO it was clear what the relationship between 
> user/SP/IDP was.
> with the Wsse I kind of don't get the full picture.
> 
> The Service somehow will have to trust the Asserting party even 
> though
> in different trust domains ? Or this means that the user can only 
> be
> authenticated in his trust domain ?
> 
> The SAML message will need to contain all the information 
> necessary to
> the Service A to make the decision. I mean Service A don't need 
> to go
> somewhere else to check that the assertion is valid as he has got 
> all
> the info he requires. I guess it's here where subject 
> confirmation might
> come in place ?
> 
> I hope the info in the question is clear enough, otherwise don't
> hesitate to ask for any farther details.
> 
> Thanks.
> Giuseppe.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]