SAML for Authentication vs SAML for Authorisation [SEC=UNCLASSIFIED]

["Otto, Ian" <Ian.Otto@industry.gov.au>]

Hi All,

           I mentioned on the last call that a new way of using SAML tokens has emerged and that I was concerned that it did not follow the standard. In investigating further, I have learned that in this case, SAML has not been used as a part of authentication, rather as a part of authorisation as set out in section 7.10 of ebMS3 Core.

 

I have written up a short discussion to illustrate difference in mechanism. Please find attached.

 

Regards, Ian Otto.

 

Ian Otto
Security Architect
VANguard and Infrastructure Branch
ICT Division
__________________________________________

Department of Industry

SAP House, Level 8.49, Bunda Street, Canberra City ACT 2600
GPO Box 9839, Canberra ACT 2601
Ph: +61-2-6276 1660 Fax: +61-2-6213 6684
Mobile: +61 403 458 215
Email:  Ian.Otto@innovation.gov.au
Internet: http://www.innovation.gov.au
ABN 74 599 608 295

 

*************************************************************************
The information contained in this e-mail, and any attachments to it,
is intended for the use of the addressee and is confidential.  If you
are not the intended recipient you must not use, disclose, read,
forward, copy or retain any of the information.  If you received this
e-mail in error, please delete it and notify the sender by return
e-mail or telephone.

The Commonwealth does not warrant that any attachments are free
from viruses or any other defects.  You assume all liability for any
loss, damage or other consequences which may arise from opening
or using the attachments.

The security of emails transmitted in an unencrypted environment
cannot be guaranteed. By forwarding or replying to this email, you
acknowledge and accept these risks.
*************************************************************************

Attachment: For and Against SAML Bearer Token in ebMS3.docx
Description: For and Against SAML Bearer Token in ebMS3.docx