[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue: AssertionID/ WSS Direct reference compatability
The WSS TC has resolved to require that the value of a "Direct" STR to a local (i.e. in a wsse:Security header within the same msg as the STR) security token be restricted to the value of a token independent identifier attribute. The rational being to facilitate efficient, schema independent processing of identifier references to security tokens. The WSS TC has resolved that such references only be used to carry values (as fragment identifiers) of the wsu:id attribute of the referenced security token. As such, the use of a SAML assertionID as the value within such references has been precluded. Local SAML assertion references must be made using the STR keyIdentifier mechanism. Prior to this resolution, it was expected that the SAML 2.0 version of the STP would use only Direct/URI based references; eliminating the use of KeyIdentifier references (with contained AuthorityBinding) for remote references. In light of the recent resolution, and to achieve the original objective of only using Direct references, SAML 2.0 will need to make it at possible to include a wsu:id identifier attribute in a SAML assertion. SAML 2.0 should also anticipate future XML standardization of an identity` attribute (e.g. xml:id) as a replacement for wsu:id. It has been suggested that the saml:AssertionID be made an optional attribute, and that the SAML 2.0 assertion schema be enhanced to allow for attribute extensibility. Ron
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]