OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services-comment] RE: SAML1.0 BAP Spec Question

Unfortunately, I would have to say there is an ambiguity in the SAML 1.0
specification which leaves the intent somewhat unclear. This ambiguity WAS
subsequently addressed in the SAML 1.1 specification.

The SAML 1.0 specification only states that:

The <saml:ConfirmationMethod> element of each assertion MUST be set to 527
urn:oasis:names:tc:SAML:1.0:cm:artifact-01. 528

However, the <saml:ConfirmationMethod> element is a sub-element in the
<saml:SubjectConfirmation> element, which is itself OPTIONAL. Hence, lines
527 - 528 can also be ready as saying:

If the <saml:SubjectConfirmation> element is present, then the
<saml:ConfirmationMethod> element should be set as above.

Please note that the SAML 1.0 specification makes no reference to
<saml:ConfirmationData> etc. so it is incorrect to make any claims about its
presence or absence in the assertion.

In SAML 1.1, lines 527-528 were revised to read:

Every subject-based statement in the assertion(s) returned to the
destination site MUST contain a
<saml:SubjectConfirmation> element as follows: 552
* The <saml:ConfirmationMethod> element MUST be set to either 553
urn:oasis:names:tc:SAML:1.0:cm:artifact-01 (deprecated) or
urn:oasis:names:tc:SAML:1.0:cm:artifact 554
* The <SubjectConfirmationData> element SHOULD NOT be specified. 556

It appears that at least some of the discussion below references SAML 1.1
text. While this is OK in an informal way, I would have to say it is
technically incorrect to apply SAML 1.1 text to SAML 1.0 profiles.

- prateek

-----Original Message-----
From: Philpott, Robert [mailto:rphilpott@rsasecurity.com] 
Sent: Monday, May 31, 2004 8:49 PM
To: Terry McBride; security-services-comment@lists.oasis-open.org
Subject: [security-services-comment] RE: SAML1.0 BAP Spec Question

Hi Terry,

> -----Original Message-----
> From: Terry McBride [mailto:terry@enspier.com]
> Sent: Thursday, May 27, 2004 2:34 PM
> To: security-services-comment@lists.oasis-open.org
> Cc: Philpott, Robert
> Subject: SAML1.0 BAP Spec Question
> Hello,
> I have a question about SAML1.0 BAP.
> The "Assertions and Protocol" document allows the <Subject> of a
> Statement to contain either <NameIdentifier>, <SubjectConfirmation>,
> both.
> In the "Bindings and Profiles" document the <ConfirmationMethod> seems
> to be required for the artifact profile.  Is it truly required or is
> the required Confirmation Method when a <SubjectConfirmation> element
> present?

[Rob] When using BAP, the <Subject> element in the assertion
statement(s) returned in response to the <ArtifactRequest> must contain
a <SubjectConfirmation> element with a child <ConfirmationMethod>
element set to the urn:...:artifact-01 identifier.  Note that NO
<ConfirmationData> should be present.

> The Bindings section I'm referring to is below:
> Required Information
> Identification: urn:oasis:names:tc:SAML:1.0:profiles:artifact-01
> Contact information: security-services-comment@lists.oasis-open.org
> The following identifier has been assigned to this confirmation
> urn:oasis:names:tc:SAML:1.0:cm:artifact-01
> ...
> Steps 4 and 5: Acquiring the Corresponding Assertions
> ...
> 527  The <saml:ConfirmationMethod> element of each assertion MUST be
> to
> 528  urn:oasis:names:tc:SAML:1.0:cm:artifact-01.
> Thank you,
> Terry McBride
> www.enspier.com

To unsubscribe from this list, send a post to
security-services-comment-unsubscribe@lists.oasis-open.org, or visit

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]