OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Credentials Collector proposal for SAML 2.0


I agree with Hal.  The case labeled as "1" below is the one that changes
with a Credentials Collector.  The other two don't involve the use of a CC.

Frederick:  your reading is correct.  The SAML 1.0 spec explicitly says (see
Section 3.3.3) that the "<AuthenticationQuery> MAY NOT be used as a request
for a new authentication using credentials provided in the request."  The
protocol message that we define from the CC to the AA is intended to fill
this gap.


-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com]
Sent: Tuesday, April 15, 2003 11:20 AM
To: Frederick.Hirsch@nokia.com; security-services@lists.oasis-open.org
Subject: RE: [security-services] Credentials Collector proposal for SAML

Sorry I am behind in my email.

I believe the answer is yes.

However, it is important to make the distinction between a request that
causes the assertion in question to be generated and a request that causes
the activity to which the assertion refers to to occur.

I believe it is legal for any of the three types of statements to be
generated at the time of the response and not previously. (If Kerberos is
used as a subject confirmation method, this is virtually requird, as tickets
are receiver-specific.)

However, with respect to the activity, I believe the semantics are as

1. A request for a AuthN statement is a request for information about an
event that has already occured. This is the case that would change with a
Credentials Collector. The new request type would say "Please perform an
Authentication right now, using the data provided."

2. The distinction does not really hold for a request for an Attribute
Assertion, since SAML does not specify where the Authority gets its data,
but in most cases, it is going to use information that is already "lying
around" whether or not it constructs a new Assertion.

3. In the case of a request for an AuthZ Decision, the assumption is that
the PDP will do policy evaluation at the time of the request, based on the
data provided or available from other sources, but the PDP is allowed to
cache decisions. (That is why I proposed the "do not cache" feature.)


> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> Sent: Monday, April 07, 2003 1:54 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Credentials Collector proposal for SAML 2.0
> Is there more information on the SAML domain model described in
> Figure 1 in
> the SAML 1.0 core specification (Assertions and Protocol for the
> Oasis Security
> Assertion Markup Language) than in the core SAML draft?
> The reason I ask is that I believe the
> RequestAuthenticationAssertion request is intended
> to retrieve existing SAML authentication assertions meeting
> criteria, but the specification states that
> new authentication assertions should not be created.
> This is distinct from creating authentication assertions based on
> credentials and authentication actions
> such as challenges and responses as outlined in the credential
> collector proposal. Thus, am I correct that none of the types of
> messages (Type 1,2,3) in the proposal are yet defined?
> I'm trying to understand in concrete terms what the current SAML
> standard authentication authority formats and
> protocols are, to better understand why we need a translator. Is
> it correct that generic formats and protocols
> for requesting assertion creation are undefined in SAML?
> (creation of assertions is implicit in the bindings/profile but
> this is different)
> regards, Frederick
> Frederick Hirsch
> Nokia Mobile Phones

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]