[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Digital Signature Usage in X.509 Subject Attribute Query Specifications
Anil John wrote on 2009-04-08: > To that end, one of the options that we are considering re: Digital > Signature usage is the following (Given that the attribute query is over > SOAP): > > - The <samlp:AttributeQuery> element in the Request MUST be signed - The > <saml:Assertion> element in the Response MUST be signed (before > Encryption takes place) - The entire SOAP Request and Response messages > MUST be signed using WS- Security. > > Are there any potential issues with this approach we should be watching > out for? Yes, it's usually pointless. SAML is designed such that the use of SOAP is meaningless unless you need the capabilities for some higher level purpose. All of the relevant information is in the SAML protocol messages in the bodies. You wouldn't even have SOAP headers unless you were using some other specification to handle the SOAP layer. In that event, whether it makes sense to also sign the SOAP message would depend on the headers' purpose. The main case that comes up is relying on WS-Security for actual authentication of the SAML messages themselves, typically the request, and in that case you wouldn't *also* sign the SAML request itself, typically. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]