RE: one time use saml artifact

[Simon Godik <sgodik@crosslogix.com>]

Title: RE: one time use saml artifact

Bob,

I'm addressing one-time-use of saml artifact: If saml artifact is generated and passed to
the browser it should be good for one-time use only. I presume that authentication
assertion is generated at the time of user authentication. Authentication assertion is
stored in the issuing server S. SAML artifact is generated some time later (within assertion
validity interval). Assertion reference embeds this saml artifact and additional info
such as assertion id (which is not in the artifact) and is communicated to the destination
site D: assertion(ass_id) <-- assertion_ref(ass_id, saml_art(random_number))
Now assertion reference is decoupled from assertion. After use D is supposed to discard
assertion_ref, and you can not reuse saml artifact any more to get to the assertion.

Other implementaions of one-time-use saml-artifact are definetely possible, but if there
is no redirection they will put more burden on the issuing server. (imo).

-- Stale-assertion
If assertion is stale it will be discarded by the issuing party S. If D is still able
to pull stale assertion it should detect that it has expired.

-- Man-in-the-middle.
I assume that all communication is over SSL, so UA<->S, UA<->D, and S<->D authenticate
each other. So D is a trusted party and is supposed to discard assertion_ref after one
use.

-- Assertion reuse.
I do not address assertion reuse and it is not prevented.

-- why do we want to create a
-- one-time reference which can be used to retrieve a many-time assertion?
I assume that assertion is generated when authentication takes place, not when http
transfer to another protected site is requested. Every time you visit dispatch page
whithin assertion validity interval the only thing you have to do is generate new
assertion reference.

Simon.

-----Original Message-----
From: George_Robert_Blakley_III@tivoli.com
[mailto:George_Robert_Blakley_III@tivoli.com]
Sent: Tuesday, July 10, 2001 12:52 PM
To: sgodik@crosslogix.com
Cc: 'security-bindings@lists.oasis-open.org'
Subject: Re: one time use saml artifact

Simon,

I'm confused about a couple of things here.

The first is, what problem is this intended to solve?  It doesn't deal with
Man-in-the-middle attacks (you get the
one-time token, you can still use it).  It doesn't prevent use of a stale
SAML assertion, since no time
value is included (though SAML assertions themselves take care of this
problem).

It also doesn't (by itself) take care of the problem of a server which
receives an assertion turning around
and re-using the assertion in order to impersonate the client (unless we
make assertions non-forwardable by
using the audience restriction capability).  This leads to my second
question: why do we want to create a
one-time reference which can be used to retrieve a many-time assertion?

I apologize if I've missed something, but I've looked back through the
archives and recent documents and
haven't been able to straighten out my thinking on these points.  Thanks,

--bob

Bob Blakley (email: blakley@us.tivoli.com   phone: +1 512 436 1564)
Chief Scientist, Security, Tivoli Systems, Inc.

Simon Godik <sgodik@crosslogix.com> on 07/10/2001 12:10:03 PM

To:   "'security-bindings@lists.oasis-open.org'"
      <security-bindings@lists.oasis-open.org>
cc:
Subject:  one time use saml artifact

Here is one possible implementation of one time use saml artifact

 <<one-time-art.doc>>
Simon Godik