[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Simple Sign not so simple
Scott Cantor replied: > > =JeffH had scrawled: > > Our intent is that "...RelayState=value..." is _optional_ in the octet > > string that is constructed in step 2, and subsequently fed into the > signature > > function in step 3 of section 2.5. > > > > Can you suggest a way it can be clarified? > > There's text in SAMLBind for this, we just forgot to copy it. This where I > agree with Sampo's point...you shouldn't have to read HTTP-Redirect to > understand this one. ;-) Ok, so the text we have in saml-bindings-2.0-os addressing this appears to be at the end of section "3.4.4.1 DEFLATE Encoding" (line 624) and reads.. "Finally, note that if there is no RelayState value, the entire parameter should be omitted from the signature computation (and not included as an empty parameter name)." In reviewing sstc-saml-binding-simplesign-cs-01, I think a statement to this effect belongs in step 2 of section "2.5 SimpleSign Signature" (line 306). In reviewing that step, I can see where Sampo & Co.'s question came from. I propose adding the above caveat from saml-bindings-2.0-os to step 2 of section "2.5 SimpleSign Signature" of sstc-saml-binding-simplesign-cs-01, like so: 2. A string consisting of the concatenation of the raw, unencoded XML making up the SAML protocol message (NOT the base64-encoded version), the RelayState value (if present), and the SigAlg value, is constructed in one of the following ways (each individually ordered as shown): SAMLRequest=value&RelayState=value&SigAlg=value SAMLResponse=value&RelayState=value&SigAlg=value Note that if there is no RelayState value, the entire parameter should be omitted from the signature computation (and not included as an empty parameter name), resulting in a string of one of these forms: SAMLRequest=value&SigAlg=value SAMLResponse=value&SigAlg=value Now, a reasonable question is "what have implementors actually done?" ;) I'm hoping most all of you have intuitively done it the above way. Feedback? thanks, =JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]