[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] ISSUE: bindings-model-11: SSO Assertion'sConfirmationMethod set to SAMLArtifact?
[Jeff]
>lines 525-526 of bindings-model-11 say..
> "The <saml:ConfirmationMethod> element of each assertion MUST be set
to
> SAMLArtifact (see [SAMLCore])."
>The semantics of this don't seem to make sense, since the assertion in
>this
>case (termed an "SSO assertion" in bindings-model-11, lines 398-400), is
>returned to the requester as a result of making a <saml:Request>
>containing
>assertion artifacts in the <samlp:AssertionArtifact> element (lines
>502-503).
>Now, core-27 states in line 647 that the definition of
>ConfirmationMethod is..
> A URI that identifies a protocol to be used to authenticate the
>subject.
^^^^^^^^^^
>..and the dereferenced SAMLArtifact by definition *can't* be used to
>"authenticate the subject" again in the future, because it is "one time
>use"
>and was already used to obtain the
>assertion-cum-AuthenticationStatement.
I don't follow this point. There is no issue of "future" here. Some
user has shown up with an artifact at some site; the site now obtains
the assertion associated with the artifact. Generally speaking, the
confirmation method indicates the technique used to connect the assertion
with the user. In this case, there is no technique specified and that is
what the confirmation method element indicates. Further, it also indicates
that the assertion must have been obtained by a lookup call from the source
site.
>Is the purpose of requiring this use of SAMLArtifact in
>ConfirmationMethod
>simply a way to ensure that
>assertions-cum-AuthenticationStatements obtained via dereferencing of a
>SAMLArtifact are flagged as such?
This is correct. The point here is that assertions obtained via
artifact lookup in the browser profile have a special status: they
were obtained via the artifact browser profile and the confirmation
method provides this information.
>And/or is the purpose to inform the requester that the way to AGAIN, in
>the
>(near) future, authenticate the subject (perhaps to check session
>liveness), is
>to (again) initiate Step 1 of "Browser/Artifact Profile of SAML" (line
>437) by
>redirecting the user's browser to the inter-site transfer service?
Not at all. There is no such intent here.
>Either way, the language in bindings-model-11 should be cleand up and
>augemented in order to clarify the purpose of having the
>ConfirmationMethod of
>the returned assertions set to SAMLArtifact.
Jeff, I really dont see the confusion here. To me this feels
like an editorial issue. If you would like to see an additional
line added to lines 525-526, well and good, go ahead and propose
the text.
- prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC