[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Is an authentication assertion mandatory in SAML?
[Hal wrote:] By the end of the meeting, my understanding was that Marlena's main sticking points were: 1. Shib wants signed artifacts, SAML is not willing to require this 2. The SAML Browser profile which uses artifacts currently proposes that there be at least one that refers to an AuthN assertion. Thanks, Hal. Let me clarify a bit: o My primary issue with the type 0001 artifact is its appropriation of the validity period and audiences fields in the assertion. I don't want to mess with either field in an attribute assertion; I can however live with "alterations" in an authN assertion. o I don't care so much about the authN assertion requirement per se as I care about having to get one *before* I get an attribute assertion. I know I wasn't clear on this -- I hadn't reached this conclusion until today. If we can have a design that shoves both at the same time, I'm okay with that. We do though need to fully tackle the subject (no pun intended) of what the Subject field should be for pseudonymity/anonymity in the authN and attr assertions. (I've mentioned this issue but not yet made suggestions. I know there have been suggestions/debate by others but I don't recall a concrete proposal.) o The Shibb "artifact" I've written about requires authenticity and integrity. It doesn't require signing per se -- I wasn't precise about this at the F2F. (Does this make it significantly less objectionable?) o Lastly, I haven't complained about it (because it is a secondary issue) but I do not think that the requirement of a new "partner id" namespace is a good thing (however necessary it may be for artifact type 0001). I'll note that the Shibb artifact doesn't require a new namespace. (Admittedly, one could argue about which is worse: having to authenticate the artifact or having to have a new needs-to-be-configured-and-updated namespace. (I'm sure it depends on one's environment.)) And, finally, though I have the inclination to continue to discuss my belief that having "different artifacts for different environments" is not at all a bad thing, I'm going to refrain. Reason: There is a growing movement in Shibboleth towards using POSTed assertions. It is far from a done deal, but it looks promising. If this pans out, we would drop the artifact (actually "a handle package") from our design. This still leaves open the question of how impersonation countermeasures are done. If we have to POST an authN assertion with altered validity and audiences fields along with an attr assertion (with un-appropriated fields), that is probably livable. (I still prefer 'packaging' countermeasure info around the assertion(s) and leaving those fields alone.) OK. I'm done. Thanks, Marlena
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC