OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] draft-sstc-meta-data-00.doc

Hi Prateek,
I've finally gotten a chance to look at your Metadata document. It looks good. I think it will be very helpful in configuring SAML implementations. I have a few comments.

1. There should be a way to collect multiple SourceSiteDescriptors into one document that would define a set of source sites, something like:

<SourceSiteDescriptorList>
   <SourceSiteDescriptor>
      ...
   </SourceSiteDescriptor>
   <SourceSiteDescriptor>
      ...
   </SourceSiteDescriptor>
   . . .
</SourceSiteDescriptorList>

2. A SourceSiteDescriptor should have an identifier (an arbitrary string) that indicates which source site the descriptor describes. This would allow SAML implementations to identify the source sites when they import the descriptors. Continuing the above example:

<SourceSiteDescriptorList>
   <SourceSiteDescriptor>
      <ID>Site 1</ID>
      ...
   </SourceSiteDescriptor>
   <SourceSiteDescriptor>
      <ID>Site 2</ID>
      ...
   </SourceSiteDescriptor>
   . . .
</SourceSiteDescriptorList>

3. It's good that the TrustModel element covers all of the HTTP authentication methods, not just client side certificate. For the BasicAuth trust model, site administrators might be reluctant to provide their passwords in the clear, especially if source site descriptions are public documents. I suggest including an option to publish the SHA-1 digest of the password. Of course this requires SAML implementations to compute the digest of received passwords.

4. The KeyInfo element always scares me a bit because it has so many variations. The commentary for the TrustModel element states that KeyInfo is supposed to be an X509Certificate. Is there any way to limit the KeyInfo in the schema to an X509Certificate element?

As an exercise to understand the metadata, I put together the following description for one of the sites at the SAML 2002 Interop demo. Let me know if I got something wrong.

<SourceSiteDescriptor>
  <ProfileID>urn:oasis:names:tc:SAML:1.0:profiles:artifact_01</ProfileID>
  <Issuer>www.baltimore.com</Issuer>
  <InterSiteTransferURL>https://samltest.baltimore.com:9985/saml_in/</InterSiteTransferURL>
  <ArtifactMetaData>
    <SourceID>1ea6b9afbc7e9fa72b95f73362624fe13da6be65</SourceID>
    <SAMLProtocolBindingID>urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding</SAMLProtocolBindingID>
    <SOAPProtocolBindingMetaData>
    	 <SOAPResponderURL>https://samltest.baltimore.com:9984/saml_responder/</SOAPResponderURL>
    	 <TrustModel>
    	   <TrustRelationship>ClientSideCertificate</TrustRelationship>
    	   <Keyinfo>
    	     <X509Data>
    	       <X509Certificate>
    	         . . .
    	       </X509Certificate>
    	     </X509Data>
    	   </Keyinfo>
    	 </TrustModel>
    </SOAPProtocolBindingMetaData>
  </ArtifactMetaData>
</SourceSiteDescriptor> 

Regards,
Charles

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC