OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: MTI security models for SOAP Binding

The SAML SOAP binding makes an appearance in 4 profiles:

(1) Web SSO Profile (via the Artifact Resolution Profile)
(2) AssertionQuery/Request Profile (AttributeQuery,
AuthorizationDecisionQuery, AssertionIDRequest)
(3) NameID Mgmt
(4) Single Logout

Conformance-04 does not as yet include any MTI security models for the SOAP

Proposal to add text to conformance-04 (starting at line 134)

2.3 Security models for SOAP Binding

The following security models are MTI for profiles that use the SOAP
binding. The SAML requester and responder MUST implement the following
authentication methods:

1. No client or server authentication. 

2. HTTP basic authentication [RFC2617] with and without SSL 3.0 or TLS 1.0.
The SAML requester MUST preemptively send the authorization header with the
initial request.  

3. HTTP over SSL 3.0 or TLS 1.0 (see Section 6) server authentication with a
server-side certificate. 

4. HTTP over SSL 3.0 or TLS 1.0 mutual authentication with both server-side
and a client-side certificate. 

If a SAML responder uses SSL 3.0 or TLS 1.0, it MUST use a server-side

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]