OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML over SOAP in a Multipart/Related MIME part of SwA?

I wonder what folks think of the following. 

In particular, would it be consistent with (a) the
specification, and (b) the intent of the specs? Or
is it really just a new binding (that, in that case,
might be better done another way)?:

This is regarding the SAML SOAP binding. In implementing 
that one has the option of supporting other bindings 
than the HTTP binding required for Compliant IDPs and SPs.

Bindings 3.2 (3.2.2) discusses the protocol-independent
requirements. The "system model for SAML conversations 
over SOAP" is, basically:

1. Arbitrary SOAP headers are allowed, but the SAML responder 
   must not require them to process the SAML request
2. The requester: The single allowed SAML request goes 
   into the SOAP body, and nothing else.
3. The responder: SOAP fault, or the single allowed SAML 
   response into the SOAP body, and nothing else.

Now consider SOAP with Attachments. Basically, a SOAP
processor capable of supporting the Multipart/Related
MIME profile is required to treat the SOAP message
therein (in the/a Multipart/Related root part) as a 
normal SOAP message.

Now here's the trick, in two parts:

1. Is it fudging to call that MIME encapsulation, at the 
   SOAP processor layer (and therefore above in SAML), as 
   just one of those options for binding of SAML over SOAP? 

2. If that's okay, then there's the meaning of "therein"
   when the Multipart/Related structure is recursive.
   That is, each recursion is capable of containing its
   own SOAP with Attachments structure, and its own
   root. In this way the outer/higher MIME parts of the
   structure can/would carry their pre-arranged components
   (for whatever protocol, say ebXML MS2.0) and a SAML
   SOAP binding conversation would be encapsulated, in 
   whole, in an enclosed instance of a SOAP MEP. 

Crazy, Hoyle, or what?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]