[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Discussion topic for con-call on Tuesday, June 11
Colleagues, I propose we initiate development of a WS-Security profile for SAML through the OASIS SSTC. In previous work [SOAP-SAML], a SOAP Profile for SAML was proposed. This work was not included with SAML 1.0 due to lack of time for review and implementation. Subsequently, in April, the WS-Security proposal [WS-Sec] made its appearance, thereby providing a foundation for the secure attachment of security tokens (such as SAML) to SOAP messages. I have previously published a note [WS-SecAndSAML] explaining the difference between [SOAP-SAML] and [WS-Sec]. Overview of Proposal: --------------------- NOTE: Please review [SOAP-SAML] SOAP Profile of SAML at this point. (1) SAML assertions MUST be included within the <wsse:Security> element, as in: <Security> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="0" AssertionID="192.168.6.40.1021066861062" Issuer="http://www.netegrity.com/authEngine" IssueInstant="2002-05-10T21:41:01Z"> <saml:Conditions NotBefore="2002-05-10T21:38:59Z" NotOnOrAfter="2002-05-10T21:43:59Z"> <saml:AudienceRestrictionCondition> <saml:Audience>http://www.thecompany.com/someBusinessAgreement</saml:Audienc e> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2002-05-10T21:41:01Z"> <saml:Subject> <saml:NameIdentifier NameQualifier="www.netegrity.com" Format="urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName"> joe@user.com </saml:NameIdentifier> </saml:Subject> <saml:SubjectLocality IPAddress="192.168.6.40" DNSAddress="authEngine.netegrity.com"/> </saml:AuthenticationStatement> </saml:Assertion> <saml:Assertion> ... </saml:Assertion> . </Security> A plurality of SAML assertions MAY BE included within the <Security> element. (2) A <SecurityTokenReference> element MAY reference a SAML assertion (local or remote). (3) Recall that two processing models for SAML assertions are introduced in [1]: HolderOfKey and SenderVouches. In each case, a <ds:signature> element is required to bind assertions to the payload. This <ds:signature> element MUST be placed within the <Security> element with the appropriate SAML assertions. (a) HolderOfKey: the <ds:KeyInfo>/<ds:signature> element holds a <SecurityTokenReference> element with a reference to an assertion holding information about the signing key. (b) SenderVouches: the <ds:KeyInfo>/<ds:signature> element holds information about the signing key. Please comment. ------------------------------------------ References: [SOAP-SAML] SOAP Profile of the OASIS SAML, http://www.oasis-open.org/committees/security/docs/draft-sstc-soap-profile-m odel-01.pdf [WS-Sec] WS-Security and WS-Security Roadmap, http://www.verisign.com/spotlight/02/0219/ [WS-SecAndSAML] Relationship between WS-Security and SAML 1.0, http://lists.oasis-open.org/archives/security-services/200204/msg00120.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC