OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Question about Subject of a SAML assertion

The most common way to do this is with the subject confirmation.   In
browser SSO, the subject confirmation is typically "bearer" -- meaning
that simple possession of the token is good enough to claim to be the
subject (or at least acting in the name of the subject).

However, with a service client the client itself can have an identity
that is asserted using some form of private key or certificate.  The
subject confirmation can refer to this key and in that case only that
service client would be able to use that assertion to communicate with
a relying party.

If you're worried about which relying party the SC could use the
assertion at, that is controlled by the Audience Restriction condition
which defines the set of one or more relying parties for which an 
assertion is generated for.


> -----Original Message-----
> From: Massimiliano Masi [mailto:masi@math.unifi.it]
> Sent: Friday, April 10, 2009 5:13 AM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Question about Subject of a SAML assertion
> Hello,
> I've a question about the Subject element of an Authentication
> Assertion.
> An user ``A'' is sitting in front of a service client SC. She wants to
> obtain an
> assertion from an IdP, using WS-Trust. The service client is trusted by
> some meanings by the user (for example X509 certificates), and the user
> is
> trusted by the service client because he knows his password.
> Now, the communication with the IdP is in
> place and the IdP authenticate the user, for example, and creates the
> new SAML assertion. The subject of the SAML assertion is the user ``A'',
> there are no meanings for the third service (the assertion consumer)
> that
> the user A is sitting on the service client SC, in the SAML assertion.
> What happens if a valid service client SC' (valid for the network, I
> mean),
> with a valid user A', obtains the token? Can he impersonate A on SC?
> How to put the identity of SC in the SAML token?
> Let's imagine a token signed, with the Bearer subjectConfirmation.
> Thanks,
>        Massimiliano
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]