OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [imi] Token profile issue with AppliesTo and AudienceRestriction

Arun reviewed our discussion thread and decided to drop his objection.  This means that we can resolve issue IMI-28 as “Won’t Fix” or whatever this issue tracker’s equivalent is.  As part of the resolution, I’ll make the corresponding change to the SAML 1.1 token profile.

 

Arun’s reasoning went as follows:

 

Actually, I had forgotten about the fact that the recommended default behavior of selectors in the IMI spec was to NOT include the <AppliesTo> element in the RST request, which really makes the default behavior cater to IdP's that are non-auditing and issue "un-scoped" tokens. By implication, the Selector sends the <AppliesTo> element only when the IdP demands it or when the RP specifies it -- in either case, the client including that info is an explicit expression of intent to restrict the "scope" of the issued token. So I would agree with this assessment and retract the original suggestion.

 

                                                                -- Mike

 

From: John Bradley [mailto:jbradley@mac.com]
Sent: Tuesday, December 15, 2009 11:22 AM
To: Mike Jones
Cc: 'imi@lists.oasis-open.org'
Subject: Re: [imi] Token profile issue with AppliesTo and AudienceRestriction

 

The wsp:AppliesTo element in the RST is set by the user agent based on the card.

 

The issuer has three choices 11.7

 

The Issuer has complete control over everything but the optional case.

 

I think if the issuer has issued a Auditing or Auditing optional card they MUST honour the ic:RequireAppliesTo in the RST.

 

If that is not a requirement of the SAML 1.1 tokens I will need to revisit the ICAM profile.

We would need to make it a requirement if it is not covered in the IMI spec.

 

We say the card must have the ic:RequireAppliesTo, I don't think we called out that the STS must honour it.

 

If the RP issues unscoped tokens it shouldn't issue cards that say they support scoped tokens.

 

John B.

On 2009-12-15, at 3:13 PM, Mike Jones wrote:



The SAML 2.0 token profile currently says:

If the request contains a <wsp:AppliesTo> element, then a <saml:AudienceRestriction> containing a <saml:Audience> element MUST be included with the value of that element.

 

As part of the review of the draft SAML 1.1 token profile, Arun Nanda commented:  “This is overkill IMO. If an IdP is an open IdP that issues ‘unscoped’ tokens for consumption by any RP, it should not be forced to encode an audience in the issued token just because the request included it. So, may be SHOULD is preferred here…”

 

I tend to agree with Arun.  I think we should make this change.  That’s the language I’m using in the 1.1 profile.  After discussion, I’ll file an issue about this too.

 

                                                                -- Mike

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]