[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on core-2.0-cd-01 - Assertion Issuee
Issue: Assertion type/schema does not describe the system entities an assertion was issued to. There should be an indentifier which reflects the party (or parties) the assertion was issued to. With X.509 end entity certificates the issuee is described by either the SubjectName or the SubjectAltName. However, SAML is much more flexible with respect to the role of the entity being described by the <Subject> element. We clearly want this latitude but at the same time I would expect there to be cases where the relying party may need additional information to distinguish between the issuee and the subject of the assertion. My recommendation would be to add a child element to <Assertion> which reflects the party (or parties) the authority issued the assertion to. Suggested schema follows: <complexType name="IssuedToType"> <sequence> <element type="saml:NameIDType" maxOccurs="unbounded"/> </sequence> </complexType> <element name="IssuedTo" type="IssuedToType"/> I would suggest that the guidance regarding the Format attribute be analogous to the guidance given for the <Issuer> element. The AssertionType schema would thus have the added (+) IssuedTo element as shown below. <element name="Assertion" type="saml:AssertionType"/> <complexType name="AssertionType"> <sequence> <element ref="saml:Issuer"/> <element ref="ds:Signature" minOccurs="0"/> + <element ref="saml:IssuedTo" minOccurs="0"/> <element ref="saml:Subject" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml:Advice" minOccurs="0"/> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:AuthnStatement"/> <element ref="saml:AuthzDecisionStatement"/> <element ref="saml:AttributeStatement"/> </choice> </sequence> <attribute name="Version" type="string" use="required"/> <attribute name="ID" type="ID" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> The semantic around the presence or absense of an <IssuedTo> element should be that if the element is absent from the assertion the intention is that the assertion was issued to the Subject, and/or the <IssudTo> party is "implied". -- mailto:gfe@sun.com http://tinyurl.com/yrbj6 "Baseball is 90% mental, the other half is physical." -- Yogi Berra
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]