OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Specification of the principal

All,
The key pieces of the core assertions that have to be defined are the
subject, object and action clauses. Of these the most complex is the object
specification since that may bind to a resource an attribute or a role. So
instead I wanted to address the Subject specification first since it is
somewhat simpler since all SAML assertions have a principal as the subject. 
The other can of worms to open up is the method of requesting an assertion.
Subject
In every case the subject of a SAML assertion is a principal. A principal
MAY be identified by;
	*	Name
	*	Authentication Credential
	*	Reference to an Authentication Credential
Names
		Common name ("Alice Pleasance Liddel")
		Account ("alice@christchurch.ox.ac.uk")
Authentication Credential
		Password ("secret")
		Password validator (SHA-1 ("secret"))
		Holdership of ticket (SHA-1 ( ticket-data ))
		Public key <KeyInfo> <KeyData/> </KeyInfo>
		Certificate <KeyInfo> <X509Data/> </KeyInfo>
		PGP Key <KeyInfo> <PGPData/> </KeyInfo>
Reference to Authentication Credential
		<KeyInfo> <RetrievalMethod/> </KeyInfo>
Specifying the authentication credential allows the PEP to authenticate the
principal. However in some circumstances the authentication protocol used
will also be relevant.
<Subject>
   <Name> ?
   <Account> ?
   <Authenticator>
      <AuthAlg>?
      <AuthData> | <KeyInfo>

Examples:
Assertion Principal identified by name and account only:
<Subject>
   <Name>Alice Pleasance Liddel
   <Account>alice@christchurch.ox.ac.uk
Assertion Principal identified by password validator
<Subject>
   <Account>alice@christchurch.ox.ac.uk
   <Authenticator>
      <AuthAlg>uri:///password/SHA-1
      <AuthData>secret
Assertion Principal identified by ticket validator
<Subject>
   <Account>alice@christchurch.ox.ac.uk
   <Authenticator>
      <AuthAlg>uri:///ticket/SHA-1
      <AuthData>21A9834hwad98723hawf98723h987w4r
Assertion Principal identified by public key
<Subject>
   <Account>alice@christchurch.ox.ac.uk
   <Authenticator>
      <KeyInfo>
         <KeyData>
             <RSAData/>


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


 <<Phillip Hallam-Baker (E-mail).vcf>>

Phillip Hallam-Baker (E-mail).vcf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC