OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML Browser Profiles Metadata

Colleagues -
As promised, I have published draft 02 of SAML BrowserProfiles Metadata. This draft heavily borrows from Liberty 1.2 metadata spec, draft 1.0-06. The documents are in Kavi and available for review. Please see http://www.oasis-open.org/apps/org/workgroup/security/download.php/1734/draft-sstc-saml-meta-data-02.pdf (an MS word version is also available). I have also uploaded the schema document that appears in section 3 of this document as an xsd file (see http://www.oasis-open.org/apps/org/workgroup/security/download.php/1736/draft-sstc-schema-meta-data-02.xsd.xml)
Below I attempt to answer some questions that may come up:
Where is Source ID for Artifact source?
Per Liberty specifications, the source ID is a SHA-1 hash of the provider ID, which is a required attribute of the source
Where is the designation for Issuer?
The issuer of a SAML assertion MUST have the same value of the provider ID.
Why would a destination (Service Provider) that supports both browser profiles have to provide two descriptors?
This is required to avoid designating a new element "ArtifactReceiverURL". I.e., we have overloaded AssertionConsumerURL for both browser profiles.
Where is the designation for NameIdenifierFormat?
It is not explicitly designated. It can be specified in the catch-all "Extension" element.
What happened to the various trust models?
In the interest of time I have not specified trust models. Given the practical experience with two interops, it appears that exchanging SSL certificates (both client and server) is the de facto trust model.

Jahan Moreh
Chief Security Architect


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]