OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Digital Signature Usage in X.509 Subject Attribute Query Specifications

Anil John wrote on 2009-04-08:
> To that end, one of the options that we are considering re: Digital
> Signature usage is the following (Given that the attribute query is over
> SOAP):
> - The <samlp:AttributeQuery> element in the Request MUST be signed - The
> <saml:Assertion> element in the Response MUST be signed (before
> Encryption takes place) - The entire SOAP Request and Response messages
> MUST be signed using WS- Security.
> Are there any potential issues with this approach we should be watching
> out for?

Yes, it's usually pointless. SAML is designed such that the use of SOAP is
meaningless unless you need the capabilities for some higher level purpose.
All of the relevant information is in the SAML protocol messages in the
bodies. You wouldn't even have SOAP headers unless you were using some other
specification to handle the SOAP layer.

In that event, whether it makes sense to also sign the SOAP message would
depend on the headers' purpose.

The main case that comes up is relying on WS-Security for actual
authentication of the SAML messages themselves, typically the request, and
in that case you wouldn't *also* sign the SAML request itself, typically.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]