OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Using SAML Artifacts in the WSS SAML TokenProfile

Scott Cantor wrote:
>>So, I'm looking at the latest SAML Token Profile document for 
>>the WSS and though it worth mentioning that we consider 
>>documenting how one would use a SAML artifact as a bearer token.    
> An issue to profile around is that artifacts in 2.0 were defined to be
> protocol messages, not assertions. In this case, a samlp:Response,
> presumably.
> In a sense, this resembles the third-party AuthnRequest use case. You've got
> a client (of whatever sort) who wants an assertion to give to a WSP, and
> you're proposing this be done by artifact. In essence then, the client is
> sending an request to the SAML authority for the token on behalf of the WSP,
> but getting back the artifact representing the samlp:Response which the WSP
> can be given to dereference.

If you want to be able to use artifacts to secure SOAP messages, then to 
be compatable with the WSS reference forms, it would seem that the 
artifact, which i would view as a token reference, should be 
encapsulated in an STR, as WSS differentiates references to tokens from 

If this makes sens to others, we could add this ability to the STP. Of 
course, if the client can transform the artifact into an assertion id,
or a a uri query, the existing stp could accomodate the exchange of the 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]