[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [no subject]
_____ From: Anthony Nadalin [mailto:drsecure@us.ibm.com] Sent: Monday, June 21, 2004 2:39 PM To: wss@lists.oasis-open.org Subject: [wss] Comments on SAML Token Profile We ran into some inconsistencies while participating in the recent SAML interop. The WSS core specification describes a "Direct Reference" mechanism to be used with STRs. A Reference element with a URI attribute is used. When the referenced token is located within the Security header, the URI contains a shorthand XPointer reference to the token. In order for this to work, the token element must contain an attribute of type ID. WSS defines the wsu:Id attribute with type ID for naming the reference. Direct references within the message should not require token specific methods so we suggest the following actions be taken: 1) Errata to the WSS core to make it clear the tokens must have an attribute named wsu:Id. 2) Change to the SAML Token Profile to use an wsu:Id attribute or use a wsse:KeyIdentifier Anthony Nadalin | work 512.838.0085 | cell 512.289.4122 ------_=_NextPart_001_01C4585F.13779455 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I have reviewed this comment and I think it = may be an=20 overly restrictive</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>interpretation of the intended usage of the = URI attribute=20 described in the</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>WS-Security core spec, section 7.2, lines = 699-701.=20 </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2><A=20 href=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes= sage-security-1.0.pdf">http://docs.oasis-open.org/wss/2004/01/oasis-2004= 01-wss-soap-message-security-1.0.pdf</A></FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>In particular, the ValueType attribute (lines = 702-708)=20 appears to be intended</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>to provide token-specific processing rules to = be applied in=20 conjunction with</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>the URI attribute. In the case of SAML 1.1 = assertions, the=20 SAML ValueType</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>indicates that the saml:AssertionID should be = treated as an=20 XML ID type </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>attribute. As described in section 4.2 lines = 418-425, this=20 may be done</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>without requiring XML schema=20 validation.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I have also looked at the REL Token Profile = specification=20 that has been</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>approved by the TC and this appears to suggest = using this=20 same mechanism</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>with direct references in Table 2 (section 3.4 = line 150)=20 and shows this mechanism</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>used in the example in section 3.5.1 lines = 308-309,=20 336-342, and again in</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>the example in section 3.6.1 lines 404-405, = 423-425=20 (although the ValueType</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>appears to have been left out in this 2nd=20 example).</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2><A=20 href=3D"http://www.oasis-open.org/apps/org/workgroup/wss/download.php/73= 47/oasis-____-wss-REL-token-profile-1.0-draft08-clean.pdf">http://www.oa= sis-open.org/apps/org/workgroup/wss/download.php/7347/oasis-____-wss-REL= -token-profile-1.0-draft08-clean.pdf</A> ,</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>From my reading of these documents plus the = use of the STR=20 mechanism</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>in scenario 3 of the SAML Interop, which is = compliant with=20 the recommended</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>usage in the SAML Token Profile (Section 3.3.1 = lines=20 318-319, lines 326-331)</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2><A=20 href=3D"http://www.oasis-open.org/apps/org/workgroup/wss/download.php/68= 77/WSS-SAML-11.pdf">http://www.oasis-open.org/apps/org/workgroup/wss/dow= nload.php/6877/WSS-SAML-11.pdf</A></FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>it appears that both the SAML and REL authors = and interop=20 </FONT></SPAN><SPAN class=3D317161113-22062004><FONT face=3DArial = color=3D#0000ff=20 size=3D2>participants have </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>interpreted the usage of ValueType and URI in=20 the </FONT></SPAN><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>STR element to allow for the = </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>token (license or assertion) having its own = ID-type=20 attribute.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN = class=3D317161113-22062004> <FONT=20 face=3DArial color=3D#0000ff size=3D2>Rich Levinson</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN = class=3D317161113-22062004> <FONT=20 face=3DArial color=3D#0000ff size=3D2>Netegrity</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Anthony Nadalin=20 [mailto:drsecure@us.ibm.com] <BR><B>Sent:</B> Monday, June 21, 2004 = 2:39=20 PM<BR><B>To:</B> wss@lists.oasis-open.org<BR><B>Subject:</B> [wss] = Comments on=20 SAML Token Profile<BR></FONT><BR></DIV> <DIV></DIV> <P>We ran into some inconsistencies while participating in the recent = SAML=20 interop. The WSS core specification describes a "Direct Reference" = mechanism to=20 be used with STRs. A Reference element with a URI attribute is used. = When the=20 referenced token is located within the Security header, the URI = contains a=20 shorthand XPointer reference to the token. In order for this to work, = the token=20 element must contain an attribute of type ID. WSS defines the wsu:Id = attribute=20 with type ID for naming the reference. Direct references within the = message=20 should not require token specific methods so we suggest the following = actions be=20 taken:<BR><BR>1) Errata to the WSS core to make it clear the tokens = must have an=20 attribute named wsu:Id.<BR>2) Change to the SAML Token Profile to use = an wsu:Id=20 attribute or use a wsse:KeyIdentifier<BR><BR>Anthony Nadalin | work = 512.838.0085=20 | cell 512.289.4122</P></BODY></HTML> ------_=_NextPart_001_01C4585F.13779455--
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]