[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Recommended text for SAML Attr Sharing Profile for C.509 Authn-based Systems
This mail is to address my AI #0224: Based on recent discussions, it appears that the TC is
interested in holding a public review for this specification and moving it to
CS status. There was one main issue posted to the list by Conor that
resulted in considerable discussion. The original note describing the
issue is in the email thread starting with: As per the TC meeting documented
at: it was suggested that we rename the document (which was
done) and that we address the concern via additional security considerations
text. I worked offline with Rick Randall and others to reach agreement on
some text. This text was not brought to the committee since, at the time,
it was decided to leave the document at Committee Draft status as it was
approved in June. The current security
considerations text is as follows: ---------------------------- 5. Security Considerations The service provider functions as a trusted component
performing the client certificate authentication of the principal that is
attempting to access a protected resource. Upon successful client
certificate authentication by the principal the service provider will generate
an <AttributeQuery> that contains the value of the principal’s
Subject DN from the principal’s X.509v3 certificate within the
<NameID> element. In the Encrypted/Signed Mode for this profile the service
provider is authenticated by the IdP. The attributes and attribute values
that are returned in the SAML <Assertion> are determined by the IdP
policy configured for a service provider. -------------------------- Here is the proposed text: --------------------------------------- 5. Security Considerations As is the case with other processing profiles of SAML that
rely on an earlier act of user authentication, this profile assumes that the
system entity that performs the actual validation of user credentials is
operating in a secure environment that includes the SAML system entity
initiating the profile. For example, when considering the SAML Web
Browser SSO Profile [SAMLProf], an authentication service that validates a
username/password for a user must be securely linked to an identity provider
that issues SAML web SSO assertions based on that user’s act of
authentication. In this profile, an end user uses an X.509 certificate to
authenticate at the service provider. The system entity that performs
this authentication (i.e. validates the certificate and its trust chain) must
be securely linked to the SAML service provider that subsequently initiates
this profile by obtaining the X.509 subject name from the end-user certificate
and issuing a SAML <AttributeQuery> for that subject to the appropriate
asserting party. The mechanism by which these system entities are linked is
out-of-scope for this profile. Local policy settings of the attribute authority will
determine whether or not the asserting party is permitted to return attributes
and their values for the requested subject. Since this profile relies on the SAML SOAP Binding
[SAMLBind], the relevant security considerations described in the SAML Security
and Privacy Considerations [SAMLSec] specification should also be observed.
While not mandated by the Basic Mode of this profile, the Encrypted/Signed Mode
requires the service provider to successfully authenticate to the attribute
authority in order to obtain the requested subject’s attributes. ---------------------------------------- Comments are welcome… Rob Philpott |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]