OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] Issue 29 (WSS Issue List #5)


ISSUE:
 
SAML Binding: Should there be a reference form that carries what amounts to a SAML assertion Query such that the sender does not need to have acquired the assertion (to be able to apply it to a request)?
 
DISCUSSION:
 
The WSS SAML Token Binding describes a message format for the secure
attachment of SAML Assertions or Assertion ID references to SOAP messages.
When an assertion ID reference is found in a SOAP header,
the recipient may further acquire the assertion from a SAML authority.
Information about the appropriate SAML authority URL may also be
carried in the SOAP header. The SAML assertion or Assertion ID reference are understood as describing a system entity (user, service etc.) about which the sender has some
knowledge.
 
In other words, the only way a sender can communicate SAML assertions describing
a system entity is by having knowledge of the assertion itself (or the assertion ID reference).
 
In some situations, the SAML authority may not want to reveal information about the
assertions describing the system entity to the sender. Instead, it may provide the
sender more limited information such as a subject name. The subject name
(<Saml:Subject> element) is now passed to recipient as part of the SOAP header.
The recipient may then use a standard SAML query form based on the subject name to acquire desired assertions from the SAML authority.
 
Example:
 
Sender is aware that SAML authority http://www.example.com/SAMLresponder
has knowledge of subject <Saml:Subject><Saml:NameIdentifier>John Doe</..></..>.
 
Sender places the subject element in a SOAP header together with information
about SAML authority http://www.example.com/SAMLresponder.
 
Recipient queries http://www.example.com/SAMLresponder for assertions describing
John Doe.
 
 
QUESTION:
 
Is this a desirable extension? Are there natural use-cases to support it? Is it worth including
in the next revision of the SAML token binding?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC