OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] SAML for Webservices

> However, would it not be possible for the client himself to 
> have made the AuthorizationDecisionQuery to the Authz 
> Authority, and then send the Assertion inside the SOAP 
> request? Is this a legitimate SAML scenario?

Yes, based on my limited understanding that's pretty much an example of
what the SOAP profile is designed for, to carry assertions with the SOAP
payload and bind them together in some sense.

> In this case my service would not need to make any queries, 
> so what exactly would it need to do?.......would the 
> following be enough, or are there other steps that need to be taken?
>  1) Check the signature of the assertion (signed by the Authority)
>  2) Check that the signature comes from a trusted authority
>  3) Check that the "Resource" matches what the request is
>     trying to access
>  4) Check the "Decision" of the Authority (i.e is it "Permit")
>  5) Check the validity of the "NotBefore" and "NotOnOrAfter"
>     attributes of the "Conditions" element, if they are present

There might be additional rules imposed by the SOAP profile (it's not my
particular area, so I'm not sure). There could also be additional
Conditions defined in the assertion (currently SAML only defines the
Audience condition, but others can be defined) that could render it

But the basics are pretty much what you covered.

The working draft of the profile that's to be taken up by the committee
after SAML is finalized was recently sent to the main list here:

I wouldn't consider it something to code by, but it might help with your
thinking and designing.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC