OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Comments on SAML Token Profile

Michael

I'm not sure this is true. If it is adhering to the token profile then it also knows saml:AssertionId so should not require schema processing. 

Isn't this right?


regards, Frederick

Frederick Hirsch
Nokia



> -----Original Message-----
> From: ext Michael McIntosh [mailto:mikemci@us.ibm.com]
> Sent: Friday, June 25, 2004 10:53 AM
> To: Hirsch Frederick (Nokia-TP/Boston)
> Cc: Anthony Nadalin; maneesh@westbridgetech.com;
> wss@lists.oasis-open.org
> Subject: RE: [wss] Comments on SAML Token Profile
> 
> 
> <Frederick.Hirsch@nokia.com> wrote on 06/25/2004 10:17:25 AM:
> 
> > Why cannot reference saml:AssertionId if specified in profile? Same 
> xsd:Id type as 
> > wsu:ID, also "well known" to profile. Same properties as 
> wsu:Id. Why a 
> problem? 
> 
> Because WSS implementation knows wsu:Id is of type xsd:Id.
> In order for it to know saml:AssertionID (or any other token defined 
> attribute) is of type xsd:Id, requires schema processing.
> 
> > 
> > regards, Frederick
> > 
> > Frederick Hirsch
> > Nokia
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: ext Anthony Nadalin [mailto:drsecure@us.ibm.com]
> > > Sent: Thursday, June 24, 2004 7:01 PM
> > > To: Maneesh Sahu; Michael McIntosh
> > > Cc: wss
> > > Subject: Re: [wss] Comments on SAML Token Profile
> > > 
> > > 
> > > Also pointed out is to use KeyIdentifier
> > > 
> > > -
> > > Anthony Nadalin
> > > Sent from my BlackBerry Handheld.
> > > 
> > > 
> > > ----- Original Message -----
> > > From: "Maneesh Sahu" [maneesh@westbridgetech.com]
> > > Sent: 06/24/2004 04:20 PM
> > > To: Michael McIntosh/Watson/IBM@IBMUS
> > > Cc: <wss@lists.oasis-open.org>
> > > Subject: RE: [wss] Comments on SAML Token Profile
> > > 
> > > Hi Michael,
> > > 
> > > Adding a wsu:Id to the SecurityToken - the SAML Assertion 
> in this case
> > > would cause it to violate the SAML schema. Is this permissible?
> > > 
> > > --ms
> > > 
> > > -----Original Message-----
> > > From: Michael McIntosh [mailto:mikemci@us.ibm.com] 
> > > Sent: Thursday, June 24, 2004 3:04 PM
> > > To: Ron Monzillo
> > > Cc: Anthony Nadalin; wss@lists.oasis-open.org
> > > Subject: Re: [wss] Comments on SAML Token Profile
> > > 
> > > Ron Monzillo <Ronald.Monzillo@Sun.COM> wrote on 06/24/2004 
> > > 12:01:08 PM:
> > > 
> > > > 
> > > > 
> > > > Anthony Nadalin wrote:
> > > > 
> > > > > We ran into some inconsistencies while participating in 
> > > the recent 
> > > > > SAML interop. The WSS core specification describes a "Direct 
> > > > > Reference" mechanism to be used with STRs. A Reference 
> > > element with
> > > a 
> > > > > URI attribute is used. When the referenced token is 
> located within
> > > the 
> > > 
> > > > > Security header, the URI contains a shorthand XPointer 
> > > reference to 
> > > > > the token. In order for this to work, the token element 
> > > must contain
> > > 
> > > > > an attribute of type ID. WSS defines the wsu:Id attribute 
> > > with type
> > > ID 
> > > 
> > > > > for naming the reference. Direct references within the message
> > > should 
> > > > > not require token specific methods so we suggest the following
> > > actions 
> > > 
> > > > > be taken:
> > > > >
> > > > > 1) Errata to the WSS core to make it clear the tokens 
> > > must have an 
> > > > > attribute named wsu:Id.
> > > > > 2) Change to the SAML Token Profile to use an wsu:Id 
> attribute or
> > > use 
> > > > > a wsse:KeyIdentifier
> > > > >
> > > > These changes are not a good idea.
> > > 
> > > It is a good idea, otherwise the dereferencing mechanism 
> would require
> > > XML 
> > > schema processing to enable it to identify which 
> attributes were ID
> > > type. 
> > > 
> > > Please see my response to Rich Levinson.
> > > 
> > > > 
> > > > The wsu:id attribute was defined for use as a 
> convenience where new 
> > > shema
> > > > elements are being defined, or with elements which support 
> > > attribute 
> > > > extensibility
> > > > and which do not already include an id attribute.
> > > > 
> > > > The only constraint on using an STR Direct Reference with a 
> > > fragment 
> > > > containing
> > > > an id value is that the thing being referenced must have an 
> > > attribute
> > > of 
> > > 
> > > > type id.
> > > > 
> > > > In SAML V1.1 the  AssertionID attribute so qualifies, that is:
> > > > 
> > > > <attribute name="AssertionID" type="ID" use="required"/>
> > > 
> > > I do not understand the aversion to adding the wrapper 
> > > element. It seems
> > > 
> > > to me that it makes it easier for services to support the 
> > > profile. Using
> > > 
> > > the known ID type of wsu:Id facilitates extensibility of 
> platforms to 
> > > enable new token types. Using token specific mechanisms for 
> > > references 
> > > potentially requires modifying the core WSS dereferencing 
> > > processing for
> > > 
> > > every new token type.
> > > 
> > > > 
> > > > Ron
> > > > 
> > > > PS: I also concurr with Rich Levinson
> > > > 
> > > > > In particular, the ValueType attribute (lines 702-708) 
> > > appears to be
> > > 
> > > > > intended
> > > > > to provide token-specific processing rules to be applied in 
> > > > > conjunction with
> > > > > the URI attribute. In the case of SAML 1.1 
> assertions, the SAML 
> > > ValueType
> > > > > indicates that the saml:AssertionID should be treated as 
> > > an XML ID 
> > > type
> > > > > attribute.
> > > > 
> > > > >
> > > > > Anthony Nadalin | work 512.838.0085 | cell 512.289.4122
> > > > >
> > > > 
> > > > 
> > > > To unsubscribe from this mailing list (and be removed from 
> > > the roster
> > > of 
> > > the OASIS 
> > > > TC), go to 
> > > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> > > _workgroup
> > > .php.
> > > > 
> > > 
> > > 
> > > To unsubscribe from this mailing list (and be removed from 
> > > the roster of
> > > the OASIS TC), go to
> > > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> > > _workgroup
> > > .php.
> > > 
> > > 
> > > 
> > > 
> > > To unsubscribe from this mailing list (and be removed from 
> > > the roster of the OASIS TC), go to 
> > > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> > > _workgroup.php.
> > > 
> > > 
> > > To unsubscribe from this mailing list (and be removed from 
> > > the roster of the OASIS TC), go to 
> > > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> > > _workgroup.php.
> > > 
> > > 
> > 
> > To unsubscribe from this mailing list (and be removed from 
> the roster of 
> the OASIS 
> > TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> _workgroup.php.
> > 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]