OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss-dev] SAML token profile question

The SOAP messages in the examples in sections 3.5.2.3 and 3.5.2.4 each make use of two SAML Assertions. One is conveyed within the message and the other is referenced on an external web page (notionally at opensaml.org). They are referred to using the Security Token References labeled STR1 & STR2. It is the remotely referenced Assertion which contains the Sender Vouches Confirmation Method. This is explained in the boldface text at the beginning of section 3.5.2.3. (The text refers to section 3.3.3. I believe that should read 3.4.3.)

 

The example is quite complex, but I believe the authors were trying to illustrate a plausible real world scenario. The basic idea is that the two assertions refer to 1) the party on whose behalf the request is being done (STR2) and 2) the gateway  who is the attesting entity (STR1). Other complications include: SAML Assertions are generally signed, so it is not possible to insert an XML label when including them in a msg signature, use of the Security Token Reference Transform and the use of the SAML Authority Binding feature.

 

Most real world deployments of WSS do not use schemes of this complexity even when using SAML Tokens.

 

Hal

 

From: Pim van der Eijk [mailto:lists@sonnenglanz.net]
Sent: Wednesday, May 29, 2013 7:35 AM
To: wss-dev@lists.oasis-open.org
Subject: [wss-dev] SAML token profile question

 

 

Hello,

 

The WSS SAML token profile is defined in:

 

Section 3.5.2 of the profiles describes the sender-vouches method of establishing the correspondence between a SOAP message and the SAML assertions added to the SOAP message according to the SAML profile of WSS: SOAP Message Security. An attesting entity uses the sender-vouches confirmation method to assert that it is acting on behalf of the subject of SAML statements attributed with a sender-vouches SubjectConfirmation element.

 

Section 3.5.2.3 provides an example SOAP message using this profile using SAML 1.1 using this subject conformation method. 

Line 823-825 in the example are:

 

<saml:ConfirmationMethod>

urn:oasis:names:tc:SAML:1.0:cm:holder-of-key

</saml:ConfirmationMethod>

 

I had expected an example with a sender vouches confirmation method:

 

<saml:ConfirmationMethod>

urn:oasis:names:tc:SAML:2.0:cm:sendervouches

</saml:ConfirmationMethod>

 

What am I missing ?

 

Pim van der Eijk

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]