[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] ISSUE: bindings-model-11: SSO Assertion'sConfirmationMethod set to SAMLArtifact?
[Jeff] >lines 525-526 of bindings-model-11 say.. > "The <saml:ConfirmationMethod> element of each assertion MUST be set to > SAMLArtifact (see [SAMLCore])." >The semantics of this don't seem to make sense, since the assertion in >this >case (termed an "SSO assertion" in bindings-model-11, lines 398-400), is >returned to the requester as a result of making a <saml:Request> >containing >assertion artifacts in the <samlp:AssertionArtifact> element (lines >502-503). >Now, core-27 states in line 647 that the definition of >ConfirmationMethod is.. > A URI that identifies a protocol to be used to authenticate the >subject. ^^^^^^^^^^ >..and the dereferenced SAMLArtifact by definition *can't* be used to >"authenticate the subject" again in the future, because it is "one time >use" >and was already used to obtain the >assertion-cum-AuthenticationStatement. I don't follow this point. There is no issue of "future" here. Some user has shown up with an artifact at some site; the site now obtains the assertion associated with the artifact. Generally speaking, the confirmation method indicates the technique used to connect the assertion with the user. In this case, there is no technique specified and that is what the confirmation method element indicates. Further, it also indicates that the assertion must have been obtained by a lookup call from the source site. >Is the purpose of requiring this use of SAMLArtifact in >ConfirmationMethod >simply a way to ensure that >assertions-cum-AuthenticationStatements obtained via dereferencing of a >SAMLArtifact are flagged as such? This is correct. The point here is that assertions obtained via artifact lookup in the browser profile have a special status: they were obtained via the artifact browser profile and the confirmation method provides this information. >And/or is the purpose to inform the requester that the way to AGAIN, in >the >(near) future, authenticate the subject (perhaps to check session >liveness), is >to (again) initiate Step 1 of "Browser/Artifact Profile of SAML" (line >437) by >redirecting the user's browser to the inter-site transfer service? Not at all. There is no such intent here. >Either way, the language in bindings-model-11 should be cleand up and >augemented in order to clarify the purpose of having the >ConfirmationMethod of >the returned assertions set to SAMLArtifact. Jeff, I really dont see the confusion here. To me this feels like an editorial issue. If you would like to see an additional line added to lines 525-526, well and good, go ahead and propose the text. - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC