[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] SAML for Webservices
> I'm wondering what a valid AuthorizationDecisionStatement > would look like, if for example I had a service at > http://www.vordel.com/services/getTranslation, would it look > like the following? Pretty close, except that the top element is Assertion. AssertionSpecifier is gone as a distinct element and wouldn't have applied in this case anyway. > what exactly should my service do if it receives the above > assertion? Should it do the following: > 1) Check the signature of the assertion (signed by the Authority) > 2) Check that the signature comes from a trusted authority > 3) Check that the "Resource" matches what the request is > trying to access > 4) Check the "Decision" of the Authority (i.e is it "Permit") This assumes the assertion comes with the message. The simple SAML model is more about how you ask an authority to send you an assertion, so it might presume that your service has authenticated the requester and then it asks an Authz Authority for this assertion with a query, specifying the resource and the authenticated user as the subject. > I'm also wondering how the above assertion is bound to SOAP, > in draft-sstc-bindings-model-11, it states that "SAML > request-response protocol elements MUST be enclosed within > the SOAP message body."........do assertions themselves have > to be in the SOAP body?.......or can they go in the SOAP header? The case where you bundle an assertion with the SOAP message as part of the SOAP dialog with the web service is described outside of the core spec in the SOAP profile. What you're looking at is the SOAP binding, which has nothing to do with SOAP as anything but a carrier of SAML protocol messages. It's how you would ask the authority directly for this assertion. The SOAP profile is expected to follow the release of the spec, and I believe it talks about those kinds of questions (and it would use a header as you surmise). Scott Cantor cantor.2@osu.edu Office of Info Tech The Ohio State Univ
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC