OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] SAML for Webservices

> I'm wondering what a valid AuthorizationDecisionStatement 
> would look like, if for example I had a service at 
> http://www.vordel.com/services/getTranslation, would it look 
> like the following?

Pretty close, except that the top element is Assertion.
AssertionSpecifier is gone as a distinct element and wouldn't have
applied in this case anyway.

> what exactly should my service do if it receives the above 
> assertion? Should it do the following:
> 1) Check the signature of the assertion (signed by the Authority)
> 2) Check that the signature comes from a trusted authority
> 3) Check that the "Resource" matches what the request is 
> trying to access
> 4) Check the "Decision" of the Authority (i.e is it "Permit")

This assumes the assertion comes with the message. The simple SAML model
is more about how you ask an authority to send you an assertion, so it
might presume that your service has authenticated the requester and then
it asks an Authz Authority for this assertion with a query, specifying
the resource and the authenticated user as the subject.

> I'm also wondering how the above assertion is bound to SOAP, 
> in draft-sstc-bindings-model-11, it states that "SAML 
> request-response protocol elements MUST be enclosed within 
> the SOAP message body."........do assertions themselves have 
> to be in the SOAP body?.......or can they go in the SOAP header?

The case where you bundle an assertion with the SOAP message as part of
the SOAP dialog with the web service is described outside of the core
spec in the SOAP profile. What you're looking at is the SOAP binding,
which has nothing to do with SOAP as anything but a carrier of SAML
protocol messages. It's how you would ask the authority directly for
this assertion.

The SOAP profile is expected to follow the release of the spec, and I
believe it talks about those kinds of questions (and it would use a
header as you surmise).

Scott Cantor
Office of Info Tech
The Ohio State Univ

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC