Subject: RE: [security-services-comment] RE: SAML1.0 BAP Spec Question
Unfortunately, I would have to say there is an ambiguity in the SAML 1.0 specification which leaves the intent somewhat unclear. This ambiguity WAS subsequently addressed in the SAML 1.1 specification. The SAML 1.0 specification only states that: The <saml:ConfirmationMethod> element of each assertion MUST be set to 527 urn:oasis:names:tc:SAML:1.0:cm:artifact-01. 528 However, the <saml:ConfirmationMethod> element is a sub-element in the <saml:SubjectConfirmation> element, which is itself OPTIONAL. Hence, lines 527 - 528 can also be ready as saying: If the <saml:SubjectConfirmation> element is present, then the <saml:ConfirmationMethod> element should be set as above. Please note that the SAML 1.0 specification makes no reference to <saml:ConfirmationData> etc. so it is incorrect to make any claims about its presence or absence in the assertion. In SAML 1.1, lines 527-528 were revised to read: Every subject-based statement in the assertion(s) returned to the destination site MUST contain a <saml:SubjectConfirmation> element as follows: 552 * The <saml:ConfirmationMethod> element MUST be set to either 553 urn:oasis:names:tc:SAML:1.0:cm:artifact-01 (deprecated) or urn:oasis:names:tc:SAML:1.0:cm:artifact 554 (RECOMMENDED). 555 * The <SubjectConfirmationData> element SHOULD NOT be specified. 556 It appears that at least some of the discussion below references SAML 1.1 text. While this is OK in an informal way, I would have to say it is technically incorrect to apply SAML 1.1 text to SAML 1.0 profiles. - prateek -----Original Message----- From: Philpott, Robert [mailto:email@example.com] Sent: Monday, May 31, 2004 8:49 PM To: Terry McBride; firstname.lastname@example.org Subject: [security-services-comment] RE: SAML1.0 BAP Spec Question Hi Terry, > -----Original Message----- > From: Terry McBride [mailto:email@example.com] > Sent: Thursday, May 27, 2004 2:34 PM > To: firstname.lastname@example.org > Cc: Philpott, Robert > Subject: SAML1.0 BAP Spec Question > > Hello, > > I have a question about SAML1.0 BAP. > > The "Assertions and Protocol" document allows the <Subject> of a > Statement to contain either <NameIdentifier>, <SubjectConfirmation>, or > both. > > In the "Bindings and Profiles" document the <ConfirmationMethod> seems > to be required for the artifact profile. Is it truly required or is it > the required Confirmation Method when a <SubjectConfirmation> element is > present? [Rob] When using BAP, the <Subject> element in the assertion statement(s) returned in response to the <ArtifactRequest> must contain a <SubjectConfirmation> element with a child <ConfirmationMethod> element set to the urn:...:artifact-01 identifier. Note that NO <ConfirmationData> should be present. > > The Bindings section I'm referring to is below: > > 220.127.116.11 Required Information > > Identification: urn:oasis:names:tc:SAML:1.0:profiles:artifact-01 > > Contact information: email@example.com > > The following identifier has been assigned to this confirmation method: > > urn:oasis:names:tc:SAML:1.0:cm:artifact-01 > > ... > > 18.104.22.168 Steps 4 and 5: Acquiring the Corresponding Assertions > ... > 527 The <saml:ConfirmationMethod> element of each assertion MUST be set > to > 528 urn:oasis:names:tc:SAML:1.0:cm:artifact-01. > > > > Thank you, > > Terry McBride > www.enspier.com > To unsubscribe from this list, send a post to firstname.lastname@example.org, or visit http://www.oasis-open.org/mlmanage/.