OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Recommended text for SAML Attr Sharing Profile for C.509 Authn-based Systems

This mail is to address my AI #0224:


Based on recent discussions, it appears that the TC is interested in holding a public review for this specification and moving it to CS status.  There was one main issue posted to the list by Conor that resulted in considerable discussion.  The original note describing the issue is in the email thread starting with:


As per the TC meeting documented at:


it was suggested that we rename the document (which was done) and that we address the concern via additional security considerations text.  I worked offline with Rick Randall and others to reach agreement on some text.  This text was not brought to the committee since, at the time, it was decided to leave the document at Committee Draft status as it was approved in June.


The current security considerations text is as follows:


5. Security Considerations


The service provider functions as a trusted component performing the client certificate authentication of the principal that is attempting to access a protected resource.  Upon successful client certificate authentication by the principal the service provider will generate an <AttributeQuery> that contains the value of the principal’s Subject DN from the principal’s X.509v3 certificate within the <NameID> element.

In the Encrypted/Signed Mode for this profile the service provider is authenticated by the IdP.  The attributes and attribute values that are returned in the SAML <Assertion> are determined by the IdP policy configured for a service provider.



Here is the proposed text:


5. Security Considerations


As is the case with other processing profiles of SAML that rely on an earlier act of user authentication, this profile assumes that the system entity that performs the actual validation of user credentials is operating in a secure environment that includes the SAML system entity initiating the profile.  For example, when considering the SAML Web Browser SSO Profile [SAMLProf], an authentication service that validates a username/password for a user must be securely linked to an identity provider that issues SAML web SSO assertions based on that user’s act of authentication. 


In this profile, an end user uses an X.509 certificate to authenticate at the service provider.  The system entity that performs this authentication (i.e. validates the certificate and its trust chain) must be securely linked to the SAML service provider that subsequently initiates this profile by obtaining the X.509 subject name from the end-user certificate and issuing a SAML <AttributeQuery> for that subject to the appropriate asserting party. The mechanism by which these system entities are linked is out-of-scope for this profile.


Local policy settings of the attribute authority will determine whether or not the asserting party is permitted to return attributes and their values for the requested subject.


Since this profile relies on the SAML SOAP Binding [SAMLBind], the relevant security considerations described in the SAML Security and Privacy Considerations [SAMLSec] specification should also be observed. While not mandated by the Basic Mode of this profile, the Encrypted/Signed Mode requires the service provider to successfully authenticate to the attribute authority in order to obtain the requested subject’s attributes.



Comments are welcome…


Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
I-name:  =Rob.Philpott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]