OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Minutes of 19-July SSTC con-call

 > **Using SAML Artifacts in the WSS SAML Token Profile
 > >

 > >
 >     Deferred until Conor provides his use-case
 >     .. Need to hear Conor's use-case to better understand why
 >     standard reference mechanisms are not sufficient
 >     .. Artifact is typically used only with the HTTP binding.
 >     Looking to hear if there is a SOAP context
 >     .. No construct in SAML 2.0 for artifacts.

My use case is as follows...

In Liberty, we have a Discovery Service (DS) which return an assertion
to a Web Service Consumer (WSC) that can be used by the WSC to invoke
a web service provider (WSP). In some cases this assertion includes
a subject confirmation of "...:bearer" (which essentially means that
as long as the message "bears" the token, it's ok).

This is all doable using the current draft of the STP.

So, what I am asking about here is the DS issuing an artifact
rather than an assertion to the WSC who then includes the
artifact when invoking the WSP.  The WSP then dereferences
the token to obtain the assertion.

The benefits here are that the assertion does not need to go through
the WSC and the assertion may not need to be signed as the WSP
is getting the assertion directly from the IdP/DS.

The limitation is that this only works in the case where one was
otherwise going to use a bearer token between the WSC and the WSP.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]