OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Issue: AssertionID/ WSS Direct reference compatability

The WSS TC has resolved to require that the value of a "Direct" STR
to a local (i.e. in a wsse:Security header within the same msg as the STR)
security token be restricted to the value of a token independent identifier

The rational being to facilitate efficient, schema independent processing of
identifier references to security tokens.

The WSS TC has resolved that such references only be used to carry
values (as fragment identifiers) of the wsu:id attribute of the referenced
security token.

As such, the use of a SAML assertionID as the value within such references
has been precluded. Local SAML assertion references must be made using
the STR keyIdentifier mechanism.

Prior to this resolution, it was expected that the SAML 2.0 version of 
the STP
would use only Direct/URI based references; eliminating the use of
KeyIdentifier references (with contained AuthorityBinding) for remote
references. In light of the recent resolution, and to achieve the original
objective of only using Direct references, SAML 2.0 will need to make it
at possible to include a wsu:id identifier attribute in a SAML assertion.

SAML 2.0 should also anticipate future XML standardization of an identity`
attribute (e.g. xml:id)  as a replacement for wsu:id.

It has been suggested that the saml:AssertionID be made an optional 
and that the SAML 2.0 assertion schema be enhanced to allow for attribute


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]