OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] SAML for Webservices


I'm looking for some advice/comments on how SAML could be used to secure a

I'm wondering what a valid AuthorizationDecisionStatement would look like,
if for example I had a service at
http://www.vordel.com/services/getTranslation, would it look like the

<saml:AssertionSpecifier xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
295 schema-assertion-27.xsd">
 <saml:Assertion MajorVersion="1" MinorVersion="0"
AssertionID="" Issuer="AA"
IssueInstant="2002-03-26 16:23:35">
Resource="http://www.vordel.com/services/getTranslator"; Decision="Permit">
 <ds:Signature>.....Authority Signature.....</ds:Signature>

what exactly should my service do if it receives the above assertion?
Should it do the following:
1) Check the signature of the assertion (signed by the Authority)
2) Check that the signature comes from a trusted authority
3) Check that the "Resource" matches what the request is trying to access
4) Check the "Decision" of the Authority (i.e is it "Permit")

I'm also wondering how the above assertion is bound to SOAP, in
draft-sstc-bindings-model-11, it states that "SAML request-response protocol
elements MUST be enclosed within the SOAP message body."........do
assertions themselves have to be in the SOAP body?.......or can they go in
the SOAP header?

some feedback on this would be greatly appreciated,

Karl Nesbitt Ph.D.
Web services security
Ph:  + 353 1 215 3316
Fax: + 353 1 215 3334
Cranford Court
Dublin 4  Ireland

Check out our career opportunities at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC