[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] ISSUE: bindings-model-11: SSO Assertion'sConfirmationMethod set to SAMLArtifact?
ISSUE: bindings-model-11: SSO Assertion's ConfirmationMethod set to SAMLArtifact? lines 525-526 of bindings-model-11 say.. "The <saml:ConfirmationMethod> element of each assertion MUST be set to SAMLArtifact (see [SAMLCore])." The semantics of this don't seem to make sense, since the assertion in this case (termed an "SSO assertion" in bindings-model-11, lines 398-400), is returned to the requester as a result of making a <saml:Request> containing assertion artifacts in the <samlp:AssertionArtifact> element (lines 502-503). Now, core-27 states in line 647 that the definition of ConfirmationMethod is.. A URI that identifies a protocol to be used to authenticate the subject. ^^^^^^^^^^ ..and the dereferenced SAMLArtifact by definition *can't* be used to "authenticate the subject" again in the future, because it is "one time use" and was already used to obtain the assertion-cum-AuthenticationStatement. Is the purpose of requiring this use of SAMLArtifact in ConfirmationMethod simply a way to ensure that assertions-cum-AuthenticationStatements obtained via dereferencing of a SAMLArtifact are flagged as such? And/or is the purpose to inform the requester that the way to AGAIN, in the (near) future, authenticate the subject (perhaps to check session liveness), is to (again) initiate Step 1 of "Browser/Artifact Profile of SAML" (line 437) by redirecting the user's browser to the inter-site transfer service? Either way, the language in bindings-model-11 should be cleand up and augemented in order to clarify the purpose of having the ConfirmationMethod of the returned assertions set to SAMLArtifact. thanks, JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC