OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] Discussion topic for con-call on Tuesday, June 11


Colleagues,

I propose we initiate development of a WS-Security profile
for SAML through the OASIS SSTC.

In previous work [SOAP-SAML], a SOAP Profile for SAML was proposed. This
work
was not included with SAML 1.0 due to lack of time for review and
implementation.
 
Subsequently, in April, the WS-Security proposal [WS-Sec] made its
appearance, thereby
providing a foundation for the secure attachment of security tokens (such as
SAML)
to SOAP messages. I have previously published a note [WS-SecAndSAML]
explaining the difference between
[SOAP-SAML] and [WS-Sec].
  
Overview of Proposal:
---------------------

NOTE: Please review [SOAP-SAML] SOAP Profile of SAML at this point.
 
(1) SAML assertions MUST be included within the <wsse:Security> element, as
in:
 
<Security>
    
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
MajorVersion="1" MinorVersion="0" AssertionID="192.168.6.40.1021066861062"
Issuer="http://www.netegrity.com/authEngine";
IssueInstant="2002-05-10T21:41:01Z">
    <saml:Conditions NotBefore="2002-05-10T21:38:59Z"
NotOnOrAfter="2002-05-10T21:43:59Z">
    <saml:AudienceRestrictionCondition>
 
<saml:Audience>http://www.thecompany.com/someBusinessAgreement</saml:Audienc
e>
    </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2002-05-10T21:41:01Z">
    <saml:Subject>
    <saml:NameIdentifier NameQualifier="www.netegrity.com"
Format="urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName">
        joe@user.com
     </saml:NameIdentifier>
    </saml:Subject>
    <saml:SubjectLocality IPAddress="192.168.6.40"
DNSAddress="authEngine.netegrity.com"/>
    </saml:AuthenticationStatement>
</saml:Assertion>

<saml:Assertion> ... </saml:Assertion>
 
.
</Security>
 
A plurality of SAML assertions MAY BE included within the <Security>
element. 
    
 
(2) A <SecurityTokenReference> element MAY reference a SAML assertion (local
or remote).
 
(3) Recall that two processing models for SAML assertions are introduced in
[1]: HolderOfKey and SenderVouches. In each
case, a <ds:signature> element is required to bind assertions to the
payload. This <ds:signature> element MUST be
placed within the <Security> element with the appropriate SAML assertions.
 
    (a) HolderOfKey: the <ds:KeyInfo>/<ds:signature> element holds a
<SecurityTokenReference> element with a reference
    to an assertion holding information about the signing key.
 
    (b) SenderVouches: the <ds:KeyInfo>/<ds:signature> element holds
information about the signing key.
 
Please comment.
 
------------------------------------------
References:
[SOAP-SAML] SOAP Profile of the OASIS SAML, 
http://www.oasis-open.org/committees/security/docs/draft-sstc-soap-profile-m
odel-01.pdf
 
[WS-Sec] WS-Security and WS-Security Roadmap,
http://www.verisign.com/spotlight/02/0219/
 
[WS-SecAndSAML] Relationship between WS-Security and SAML 1.0, 
http://lists.oasis-open.org/archives/security-services/200204/msg00120.html
 
   


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC