SOA-TEL Token Correlation Profile: signature problem

[Rossini Federico <federico.rossini@telecomitalia.it>]

I think I have found a solution for the signature problem: how to imbed the second assertion (or its link) into the first assertion, without invalidating the signature on the assertion.

 

The scenario is the following:

The IDP issues a SAML assertion (SAML-Y), where there is the <token-correlation> element and, obviously the “token-correlated” tag is not set or is missing.

The IDP signs SAML-Y by putting in the assertion, besides the <transform> element which excludes the signature itself, another  <transform> element to exclude the <token-correlated> element.

 

In this way the Intermediary can freely insert the <token-correlated> tag  without invalidating the IDP signature.

 

For the transform element management I refer to paragraph: “6.6.3 XPath Filtering” of “XML Signature Syntax and Processing” specification

 

…..

The primary purpose of this transform is to ensure that only specifically defined changes to the input XML document are permitted after the signature is affixed. This is done by omitting precisely those nodes that are allowed to change once the signature is affixed, and including all other input nodes in the output.

…….

 

<Document>

   ...  

   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

     <SignedInfo>

      ...

       <Reference URI="">

         <Transforms>

           <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">

             <XPath xmlns:dsig="&dsig;">

             not(ancestor-or-self::dsig:Signature)

             </XPath>

           </Transform>

         </Transforms>

         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

         <DigestValue></DigestValue>

       </Reference>

     </SignedInfo>

     <SignatureValue></SignatureValue>

    </Signature>

    ...

   </Document>

 

……………………..

 

In my view, by replacing the expression (ancestor-or-self::dsig:Signature) with an expression that locates the <token-correlated> element, the signature problem is overcome.

 

Regards

 

Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

Rispetta l'ambiente. Non stampare questa mail se non è necessario.