[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] SAML for Webservices
> However, would it not be possible for the client himself to > have made the AuthorizationDecisionQuery to the Authz > Authority, and then send the Assertion inside the SOAP > request? Is this a legitimate SAML scenario? Yes, based on my limited understanding that's pretty much an example of what the SOAP profile is designed for, to carry assertions with the SOAP payload and bind them together in some sense. > In this case my service would not need to make any queries, > so what exactly would it need to do?.......would the > following be enough, or are there other steps that need to be taken? > > 1) Check the signature of the assertion (signed by the Authority) > 2) Check that the signature comes from a trusted authority > 3) Check that the "Resource" matches what the request is > trying to access > 4) Check the "Decision" of the Authority (i.e is it "Permit") > 5) Check the validity of the "NotBefore" and "NotOnOrAfter" > attributes of the "Conditions" element, if they are present There might be additional rules imposed by the SOAP profile (it's not my particular area, so I'm not sure). There could also be additional Conditions defined in the assertion (currently SAML only defines the Audience condition, but others can be defined) that could render it invalid. But the basics are pretty much what you covered. The working draft of the profile that's to be taken up by the committee after SAML is finalized was recently sent to the main list here: http://lists.oasis-open.org/archives/security-services/200203/msg00160.h tml I wouldn't consider it something to code by, but it might help with your thinking and designing. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC