[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Request to Generalize Issuer - was XACMLchange request
I had an action (AI-25) to provide element-based and attribute-based solutions to allow Issuer to carry NameQualifier and Format information. Sorry for the truly horrible delay in doing this writeup. You'll recall that we can't do this: <attribute name="Issuer" type="saml:NameIdentifierType" use="required" /> because NameIdentifierType is a complex type, and attributes can't be bound to such. An Element-Based Solution: ========================== If we move Issuer information into an element structure, it's backwards-incompatible but is more consonant with our existing element-based NameIdentifier solution. We could either wait till SAML 2.0 to put this in, or make this new structure an optional feature in SAML 1.1 and let it sit alongside the existing Issuer-as-attribute information. However, note that Issuer is currently a required attribute and this can't change in SAML 1.1, so if people did use the new structure, they'd be duplicating some information in the instance. Currently, Issuer information is provided like this: <Assertion {other_assertion_metadata_attributes} Issuer="http://www.example.com/AttribAuthority"> <Conditions>...</Conditions> <Advice>...</Advice> {assertion_content} </Assertion> We could either just add an <IssuerIdentifier> subelement, or we could add a more generic subelement that is prepared to hold future element-structured metadata that we dream up. Here I'll go with the former strategy, to keep it concrete and realistic. The instance would now look like this (I'm keeping the old-style format string for now, to avoid confusing things further, but remember that we agreed to fix the fragment ID problem and invent new URNs): <Assertion {metadata_attributes}> <IssuerIdentifier IssuerQualifier="www.example.com" Format= "urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName"> AttribAuthority </IssuerIdentifier> <Conditions>...</Conditions> <Advice>...</Advice> {assertion_content} </Assertion> An Attribute-Based Solution: ============================ We can enhance the current Issuer attribute to allow for an IssuerQualifier and a Format to be provided in sister attributes. This is something that I think we can do in SAML 1.1, if we think the description of Issuer can tolerate the additional interpretations that we'd need to layer on top: "The issuer of the assertion. The name of the issuer is provided as a string. The issuer name SHOULD be unambiguous to the intended relying parties. SAML authorities may use an identifier such as a URI reference that is designed to be unambiguous regardless of context." However, in practice I think there is an interoperability problem because we've now got two fields to divide the old Issuer-field information into. The instance would look like this (note that I broke up the original value into two places): <Assertion {other_metadata_attributes} Issuer="AttribAuthority" IssuerQualifier="www.example.com" Format= "urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName"> <Conditions>...</Conditions> <Advice>...</Advice> {assertion_content} </Assertion> Final Comments ============== It may be that we want to keep the old Issuer attribute exactly as it is, semantics and all, and simply add alongside *whichever* solution (element-based or attribute-based) we decide is best for the future. It will require duplication of information in instances for anyone who wishes to get the benefits of articulated issuer info in SAML 1.1, but at least there's no tortured logic, and the transition to SAML 2.0 would be straightforward (drop the annoying old Issuer attribute and use the new solution exclusively). I haven't sketched up the schema code yet; let's see which way we prefer to go first. Eve Hal Lockhart wrote: > In the last meeting I agreed to provide specific changes required to > allow the Issuer to contain NameQualifier and Foprmat, just as subject > does, in order to provide more flexible matching of Issuer names. I also > sugggested, without looking at the schema that the changes could be made > backward compatable by using a Choice. However, it turns out that Issuer > is an XML attribute. > > So it looks like the change required is to change the line: > > > <attribute name="Issuer" type="string" use="required" /> > > to: > > > <attribute name="Issuer" type="saml:NameIdentifierType" use="required" /> > > > Since NameIdentifierType extends string and since NameQualifier and > Format are use="optional" I think this is backward compatable, but I may > be wrong. > > In the core spec, the simplest change would be to change the sentence on > line 383 from: > > The name of the issuer is provided as a string. > > to: > > The name of the issuer is provided as a SAML NameIdentifier. The > NameIdentifier is described in section 2.4.2.2. > > Alternatively, the description of NameIdentifier could be moved forward > in the document. > > Hal > -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Technologies and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC