[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Question about Subject of a SAML assertion
To followup on Conor's reply, please have a look at the Holder-of-Key Assertion Profile: http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation It describes how to bind a public key to a SubjectConfirmation element and how a relying party confirms that the presenter is the holder of the corresponding private key. Tom PS. The HoK Assertion is one of several profiles currently undergoing Public Review. The complete list is on the SAML SSTC wiki home page: http://wiki.oasis-open.org/security/FrontPage On Fri, Apr 10, 2009 at 7:52 AM, Cahill, Conor P <conor.p.cahill@intel.com> wrote: > The most common way to do this is with the subject confirmation. In > browser SSO, the subject confirmation is typically "bearer" -- meaning > that simple possession of the token is good enough to claim to be the > subject (or at least acting in the name of the subject). > > However, with a service client the client itself can have an identity > that is asserted using some form of private key or certificate. The > subject confirmation can refer to this key and in that case only that > service client would be able to use that assertion to communicate with > a relying party. > > If you're worried about which relying party the SC could use the > assertion at, that is controlled by the Audience Restriction condition > which defines the set of one or more relying parties for which an > assertion is generated for. > > Conor > >> -----Original Message----- >> From: Massimiliano Masi [mailto:masi@math.unifi.it] >> Sent: Friday, April 10, 2009 5:13 AM >> To: saml-dev@lists.oasis-open.org >> Subject: [saml-dev] Question about Subject of a SAML assertion >> >> Hello, >> >> I've a question about the Subject element of an Authentication >> Assertion. >> >> An user ``A'' is sitting in front of a service client SC. She wants to >> obtain an >> assertion from an IdP, using WS-Trust. The service client is trusted by >> some meanings by the user (for example X509 certificates), and the user >> is >> trusted by the service client because he knows his password. >> >> Now, the communication with the IdP is in >> place and the IdP authenticate the user, for example, and creates the >> new SAML assertion. The subject of the SAML assertion is the user ``A'', >> there are no meanings for the third service (the assertion consumer) >> that >> the user A is sitting on the service client SC, in the SAML assertion. >> >> What happens if a valid service client SC' (valid for the network, I >> mean), >> with a valid user A', obtains the token? Can he impersonate A on SC? >> >> How to put the identity of SC in the SAML token? >> >> Let's imagine a token signed, with the Bearer subjectConfirmation. >> >> Thanks, >> >> Massimiliano >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]