[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Groups -sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
I guess the question is whether a client that knows nothing about the X.509 Attribute Sharing Profile NEEDS to distinguish between those three endpoints, or would they all work for standard attribute requests? Do you really expect to see separate endpoints like that anyway, or would it be more common to have one endpoint like: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.example.org/saml"> <md:AttributeAuthorityDescriptor xmlns:x509qry="urn:oasis:names:tc:SAML:2.0:profiles:X509:query:attribute" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:AttributeService x509qry:hasBasicSupport="true" x509qry:hasEnhancedSupport="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/saml-idp/AA"/> <md:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName </md:NameIDFormat> </md:AttributeAuthorityDescriptor> </md:EntityDescriptor> -Greg On 8/7/06 4:17 PM, "Tom Scavo" <trscavo@gmail.com> wrote: > On 8/7/06, Tom Scavo <trscavo@gmail.com> wrote: >> On 8/4/06, Ari Kermaier <ari.kermaier@oracle.com> wrote: >>> >>> Overall, this looks good, though I want to go through the metadata section >>> and schema a little more carefully. >> >> If something looks fishy with the metadata bits, that's because there >> is. :-) Scott and I had an offline discussion that exposed a >> potential problem. (I'll refrain from going into the details here.) >> Consequently, the metadata section must be rewritten (or at least >> reexamined). > > Below is a metadata example that illustrates the problem. Note that > there are three <md:AttributeService> elements, two that call out > support of the X.509 Attribute Sharing Profile. Unless the Attribute > Sharing Profile is an extension of the Assertion Query/Request Profile > (in the strongest sense), an SP that knows nothing about the Attribute > Sharing Profile is unable to distinguish the three endpoints. > > <md:EntityDescriptor > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > entityID="https://idp.example.org/saml"> > <md:AttributeAuthorityDescriptor > xmlns:x509qry="urn:oasis:names:tc:SAML:2.0:profiles:X509:query:attribute" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <md:AttributeService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="https://idp.example.org:8443/saml-idp/AA"/> > <md:AttributeService > x509qry:hasBasicSupport="true" > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="https://idp.example.org:8443/saml-idp/AA/basic"/> > <md:AttributeService > x509qry:hasEnhancedSupport="true" > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="https://idp.example.org:8443/saml-idp/AA/enhanced"/> > <md:NameIDFormat> > urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName > </md:NameIDFormat> > </md:AttributeAuthorityDescriptor> > </md:EntityDescriptor> > > I'm not sure what the best solution to this problem is. Any suggestions? > > Thanks, > Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]