[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: [wss-m-comment] Question to "Web Services Security SAML Token Profile Version 1.1.1" - is the example vor sender-vouches (3.5.2) correct?
Hello @all,
Â
actually we are working on an issue depending the signature of a message with the âsender-vouchesâ confirmation method.
Â
What we know:
-ÂÂÂÂÂÂÂÂÂ When using âsender-vouchesâ for a SAML confirmation method, you can use a ds:Signature element to sign SAML and message body.
Â
Not clear:
The correct location of the ds:Signature element for âsender-vouchesâ. Should the ds:Signature be within the SAML Assertion element or can it be outside within the wsse:Security element (where the Assertion is also in).
Â
Your example under http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc307397296 part 3.5.2.4 looks like a poorly copied example from the âholder-of-keyâ example. The confirmation method is wrong and so itâs not clear if there are other copy&paste errors, too.
The description for âholder-of-keyâ contains explicitly that the SAML Assertion should contain the ds:Signature. The description for âsender-vouchesâ doesnât contain such a statement. Â
Â
Would this be a more correct example:
Â
<S12:Envelope xmlns:S12="..." xmlns:wsu="...">
Â< S12:Header>
Â
ÂÂÂ< wsse:Security xmlns:wsse="..." xmlns:wsse11="..." xmlns:ds="...">
ÂÂÂÂÂ< saml2:Assertion xmlns:saml2="..." xmlns:xsi="..."
Â
ÂÂÂÂÂÂ ÂÂÂÂ ID=â_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
ÂÂÂÂÂÂÂ< saml2:Subject>
ÂÂÂÂÂÂÂÂÂÂÂÂÂ Â< saml2:NameID>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ...
ÂÂÂÂÂÂÂÂÂÂÂÂÂ Â< /saml2:NameID>
ÂÂÂÂÂÂÂÂÂÂÂÂÂ Â< saml2:SubjectConfirmation
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Method=âurn:oasis:names:tc:SAML:2.0:cm:sender-vouchesâ>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ< saml2:SubjectConfirmationData
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Âxsi:type="saml2:KeyInfoConfirmationDataType">
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ< ds:KeyInfo>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ< ds:KeyValue>â</ds:KeyValue>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ< /ds:KeyInfo>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ< /saml2:SubjectConfirmationData>
ÂÂÂÂÂÂÂÂÂÂÂ< /saml2:SubjectConfirmation>
ÂÂÂÂÂÂÂÂ< /saml2:Subject>
ÂÂÂÂÂÂÂÂ< saml2:Statement>
ÂÂÂÂÂÂÂÂÂÂÂÂÂ ÂÂ â
ÂÂÂÂÂÂÂÂ< /saml2:Statement>
ÂÂÂÂÂÂÂÂâ
ÂÂÂÂÂ< /saml2:Assertion>
Â
ÂÂÂÂÂ< wsse:SecurityTokenReference wsu:Id=âSTR1â
ÂÂÂÂÂÂÂ wsse11:TokenType=âhttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0â>
ÂÂÂÂÂÂÂ< wsse:Reference wsu:Id=âââ
ÂÂÂÂÂÂÂÂÂ URI=âhttps://www.opensaml.org?_a75adf55-01d7-40cc-929f-dbd8372ebdbeâ>
ÂÂÂÂÂÂÂ< /wsse:Reference>
ÂÂÂÂÂ< /wsse:SecurityTokenReference>
Â
ÂÂÂÂÂ< ds:Signature>
ÂÂÂÂÂÂÂ< ds:SignedInfo>
â (continue like in part 3.5.2.4)
Â
Â
Mit freundlichen GrÃÃen / Kind regards,
Cornelia Remmicke
Â
Im Rahmen des zwischen der Volkswagen AG und der ITARICON GmbH bestehenden VertragsverhÃltnisses, wende ich mich mit obenstehendem Anliegen an Sie.
Wenn Sie weitere Fragen haben sollten, kÃnnen Sie sich jederzeit an Herrn Herbert Franke (herbert2.franke@volkswagen.de) wenden.
Â
ITARICON Digital Customer Solutions
_____________________________________________________________
ITARICON GmbH
Wiener Platz 9, 01069 Dresden
GeschÃftsfÃhrung: Thomas Reppe, JÃrg Atai-NÃlke, Daniel Kunze
Amtsgericht Dresden HRB 24701
Â
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]