This mail is to address my AI
#0224:
Based on recent discussions, it
appears that the TC is interested in holding a public review for this
specification and moving it to CS status. There was one main issue
posted to the list by Conor that resulted in considerable discussion.
The original note describing the issue is in the email thread starting
with:
As per the TC
meeting documented at:
it was suggested that we rename
the document (which was done) and that we address the concern via additional
security considerations text. I worked offline with Rick Randall and
others to reach agreement on some text. This text was not brought to the
committee since, at the time, it was decided to leave the document at
Committee Draft status as it was approved in
June.
The current
security considerations text is as
follows:
----------------------------
5. Security
Considerations
The service provider functions as a trusted component
performing the client certificate authentication of the principal that is
attempting to access a protected resource. Upon successful client
certificate authentication by the principal the service provider will generate
an <AttributeQuery> that contains the value of the principal's Subject
DN from the principal's X.509v3 certificate within the <NameID>
element.
In the Encrypted/Signed Mode for
this profile the service provider is authenticated by the IdP. The
attributes and attribute values that are returned in the SAML
<Assertion> are determined by the IdP policy configured for a service
provider.
--------------------------
Here is the proposed
text:
---------------------------------------
5. Security
Considerations
As is the case with other
processing profiles of SAML that rely on an earlier act of user
authentication, this profile assumes that the system entity that performs the
actual validation of user credentials is operating in a secure environment
that includes the SAML system entity initiating the profile. For
example, when considering the SAML Web Browser SSO Profile [SAMLProf], an
authentication service that validates a username/password for a user must be
securely linked to an identity provider that issues SAML web SSO assertions
based on that user's act of authentication.
In this profile, an end user uses
an X.509 certificate to authenticate at the service provider. The system
entity that performs this authentication (i.e. validates the certificate and
its trust chain) must be securely linked to the SAML service provider that
subsequently initiates this profile by obtaining the X.509 subject name from
the end-user certificate and issuing a SAML <AttributeQuery> for that
subject to the appropriate asserting party. The mechanism by which these
system entities are linked is out-of-scope for this
profile.
Local policy settings of the
attribute authority will determine whether or not the asserting party is
permitted to return attributes and their values for the requested
subject.
Since this profile relies on the
SAML SOAP Binding [SAMLBind], the relevant security considerations described
in the SAML Security and Privacy Considerations [SAMLSec] specification should
also be observed. While not mandated by the Basic Mode of this profile, the
Encrypted/Signed Mode requires the service provider to successfully
authenticate to the attribute authority in order to obtain the requested
subject's attributes.
----------------------------------------
Comments are
welcome...
Rob
Philpott
Senior Consulting
Engineer
RSA
Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax:
781-515-7020
Email:
rphilpott@rsasecurity.com
I-name: =Rob.Philpott