security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: SOAP client cert authn and how it relates to SAML messages
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: SAML <security-services@lists.oasis-open.org>
- Date: Thu, 18 Aug 2005 09:09:23 -0400
Title: Message
Hi, a question on SOAP client cert processing and
how it relates to SAML messages.
When SOAP is used to authenticate a client (client
side certs are used), is their a requirement in the specifications that the
client that has been authenticated "match" a SAML message being sent. Or is this
implementation specific.
For example, assume there are 2 Attribute
Requesters that can send requests to a single Attribute Authority (SP-a and
SP-b). It seems possible that SP-a can authenticate to the Authority using its
own certifcate and then send a SAML request message whose issuer name is that of
SP-b. Since the SOAP binding was used with SSL and client authentication,
signatures and encryption were not used in the SAML request message. What I'm
trying to find out is if the SAML specification allow this or forbid this
explicitly.
If they forbid it, meaning that the Authority must
insure the that client that authenticated is in fact the same as the issuer of
the SAML request, then what is the definition of "the same as the issuer of the
SAML request?" I imagine this is implementation specific, where the client cert
can come from some set of issuers or perhaps only a specific set of client certs
are acceptable.
Thanks, Tom.
Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]