RE: [security-services] Using SAML Artifacts in the WSS SAML Token Profile

["Scott Cantor" <cantor.2@osu.edu>]

> So, I'm looking at the latest SAML Token Profile document for 
> the WSS and though it worth mentioning that we consider 
> documenting how one would use a SAML artifact as a bearer token.    

An issue to profile around is that artifacts in 2.0 were defined to be
protocol messages, not assertions. In this case, a samlp:Response,
presumably.

In a sense, this resembles the third-party AuthnRequest use case. You've got
a client (of whatever sort) who wants an assertion to give to a WSP, and
you're proposing this be done by artifact. In essence then, the client is
sending an request to the SAML authority for the token on behalf of the WSP,
but getting back the artifact representing the samlp:Response which the WSP
can be given to dereference.

So the request comes from somebody else but the Response goes to the WSP.
One way of thinking about it, maybe.

Alternatively, you can certainly just make it work, since ArtifactResponse
is able to carry anything, and you could stuff an assertion there as long as
the requester understood the profile.

No need to say I prefer something that doesn't corrupt the original intent
of the spec. ;-)

There are a lot of use cases for this in application protocols that can't
carry assertions by value. The basic technique could work for UDP protocols,
for example.

-- Scott