security-services message

Subject: Re: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded

From: "Tom Scavo" <trscavo@gmail.com>
To: "Ari Kermaier" <ari.kermaier@oracle.com>
Date: Mon, 7 Aug 2006 17:17:11 -0400

On 8/7/06, Tom Scavo <trscavo@gmail.com> wrote:
> On 8/4/06, Ari Kermaier <ari.kermaier@oracle.com> wrote:
> >
> > Overall, this looks good, though I want to go through the metadata section and schema a little more carefully.
>
> If something looks fishy with the metadata bits, that's because there
> is. :-)  Scott and I had an offline discussion that exposed a
> potential problem.  (I'll refrain from going into the details here.)
> Consequently, the metadata section must be rewritten (or at least
> reexamined).

Below is a metadata example that illustrates the problem.  Note that
there are three <md:AttributeService> elements, two that call out
support of the X.509 Attribute Sharing Profile.  Unless the Attribute
Sharing Profile is an extension of the Assertion Query/Request Profile
(in the strongest sense), an SP that knows nothing about the Attribute
Sharing Profile is unable to distinguish the three endpoints.

<md:EntityDescriptor
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  entityID="https://idp.example.org/saml";>
  <md:AttributeAuthorityDescriptor
    xmlns:x509qry="urn:oasis:names:tc:SAML:2.0:profiles:X509:query:attribute"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:AttributeService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
      Location="https://idp.example.org:8443/saml-idp/AA"/>
    <md:AttributeService
      x509qry:hasBasicSupport="true"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
      Location="https://idp.example.org:8443/saml-idp/AA/basic"/>
    <md:AttributeService
      x509qry:hasEnhancedSupport="true"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
      Location="https://idp.example.org:8443/saml-idp/AA/enhanced"/>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    </md:NameIDFormat>
  </md:AttributeAuthorityDescriptor>
</md:EntityDescriptor>

I'm not sure what the best solution to this problem is.  Any suggestions?

Thanks,
Tom

Follow-Ups:
- Re: [security-services] Groups -sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
  - From: Greg Whitehead <greg.whitehead@hp.com>

References:
- RE: [security-services] Groups -sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
  - From: "Ari Kermaier" <ari.kermaier@oracle.com>
- Re: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
  - From: "Tom Scavo" <trscavo@gmail.com>