OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: NEW Issue: Need additional SamlToken Assertion Elements for Holder-of-Keyand Sender-Vouches

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSION THREAD UNTIL THE 
ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp

    
http://www.oasis-open.org/committees/download.php/18837/ws-securitypolicy-1.2-spec-ed-01-r07.pdf

Artifact:  spec

Type:    design

Title:

    Need additional SamlToken Assertion Elements for Holder-of-Key and 
Sender-Vouches

Description:

    Comparable to the level of granularity defined for UsernameToken 
Assertions (lines 854-861 (NoPassword, HashPassword))
     and X509Token Assertions (lines 1004-1024 several token types), the 
SamlToken Assertion needs token types of
    sender-vouches and holder-of-key defined. As in the Username and 
X509 token cases, the WS 1.0 and WS 1.1
    Saml Token profiles identify these token types as explicit use cases 
that the profile supports.

       http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf
          see line 495

       
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
          see line 672

Related issues:    None

Proposed Resolution:

    Add the following lines after line 1322 in section 5.3.8:

       /sp:SamlToken/wsp:Policy/sp:WssSamlHolderOfKey
          This optional element identifies that a SAML holder-of-key 
token should be used as
          defined in [WSS: SAML Token Profile 1.0, 1.1].

       /sp:SamlToken/wsp:Policy/sp:WssSamlSenderVouches
          This optional element identifies that a SAML sender-vouches 
token should be used as
          defined in [WSS: SAML Token Profile 1.0, 1.1].

    The above proposal would require 2 elements to fully define the 
required token. An alternative
    approach would be to explicitly define the 2 tokens for all 3 
supported versions as follows:

       /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token10HolderOfKey
          This optional element identifies that a SAML Version 1.1 
holder-of-key token should be used as
          defined in [WSS: SAML Token Profile 1.0].

       /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token10SenderVouches
          This optional element identifies that a SAML Version 1.1 
sender-vouches token should be used as
          defined in [WSS: SAML Token Profile 1.0].

        /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token11HolderOfKey
          This optional element identifies that a SAML Version 1.1 
holder-of-key token should be used as
          defined in [WSS: SAML Token Profile 1.1].

       /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token11SenderVouches
          This optional element identifies that a SAML Version 1.1 
sender-vouches token should be used as
          defined in [WSS: SAML Token Profile 1.1].

        /sp:SamlToken/wsp:Policy/sp:WssSamlV20Token11HolderOfKey
          This optional element identifies that a SAML Version 2.0 
holder-of-key token should be used as
          defined in [WSS: SAML Token Profile 1.1].

       /sp:SamlToken/wsp:Policy/sp:WssSamlV20Token11SenderVouches
          This optional element identifies that a SAML Version 2.0 
sender-vouches token should be used as
          defined in [WSS: SAML Token Profile 1.1].

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]