[saml-dev] SAML for Webservices

[Karl Nesbitt <karl.nesbitt@vordel.com>]

Hi,

I'm looking for some advice/comments on how SAML could be used to secure a
WebService

I'm wondering what a valid AuthorizationDecisionStatement would look like,
if for example I had a service at
http://www.vordel.com/services/getTranslation, would it look like the
following?


<saml:AssertionSpecifier xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-sstc-
295 schema-assertion-27.xsd">
 <saml:Assertion MajorVersion="1" MinorVersion="0"
AssertionID="192.168.0.131.1010924615489" Issuer="AA"
IssueInstant="2002-03-26 16:23:35">
	<saml:AuthorizationDecisionStatement
Resource="http://www.vordel.com/services/getTranslator"; Decision="Permit">
		<saml:Actions>
  			<saml:Action>Read</saml:Action>
  		</saml:Actions>
  	</saml:AuthorizationDecisionStatement>
 </saml:Assertion>
 <ds:Signature>.....Authority Signature.....</ds:Signature>
</saml:AssertionSpecifier>


what exactly should my service do if it receives the above assertion?
Should it do the following:
1) Check the signature of the assertion (signed by the Authority)
2) Check that the signature comes from a trusted authority
3) Check that the "Resource" matches what the request is trying to access
4) Check the "Decision" of the Authority (i.e is it "Permit")


I'm also wondering how the above assertion is bound to SOAP, in
draft-sstc-bindings-model-11, it states that "SAML request-response protocol
elements MUST be enclosed within the SOAP message body."........do
assertions themselves have to be in the SOAP body?.......or can they go in
the SOAP header?

some feedback on this would be greatly appreciated,
Karl.


Karl Nesbitt Ph.D.
Vordel
Web services security
karl.nesbitt@vordel.com
Ph:  + 353 1 215 3316
Fax: + 353 1 215 3334
http://www.vordel.com
Cranford Court
Dublin 4  Ireland



Check out our career opportunities at:
http://www.vordel.com/careers/index.html