OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: definition of "strongly matches"

As mentioned on the last call, a primary goal of the Subject-based
Profiles for SAML V1.1 Assertions is to define and apply the notion of
"very strongly matches," which builds on the existing definition of
"strongly matches."  The definition of "strongly matches" in SAML V1.1
differs from that in SAML V2.0, however, so first we have to reconcile
the two definitions.

The name identifier part of "strongly matches" in the two versions of
SAML is the same if we ignore the language regarding encryption in the
SAML V2.0 definition (which of course SAML V1.1 does not support).  On
the other hand, the subject confirmation part of "strongly matches"
has a distinctly different flavor, so we first reformulate the subject
confirmation part of "strongly matches" in SAML V1.1 so that it aligns
with SAML V2.0.

With respect to SAML V1.1 <saml:SubjectConfirmation>, there seems to
be two choices: 1) map a SAML V1.1 <saml:SubjectConfirmation> element
containing multiple <saml:ConfirmationMethod> elements to multiple
<saml2:SubjectConfirmation> elements each with a corresponding Method
attribute, or 2) restrict a SAML V1.1 <saml:SubjectConfirmation> to
have a single <saml:ConfirmationMethod> element.  For simplicity, we
choose the latter in the profile:

http://www.oasis-open.org/apps/org/workgroup/security/download.php/26572/sstc-saml1-profiles-assertion-subject-draft-01.pdf

[lines 191--196] "In SAML V1.1, a <saml:Subject> element contains at
most one <saml:SubjectConfirmation> element containing one or more
<saml:ConfirmationMethod> elements. In SAML V2.0, on the other hand,
there may be multiple <saml2:SubjectConfirmation> elements, each with
a required Method attribute. Therefore, a <saml:Subject> element that
conforms to this profile MAY contain a <saml:SubjectConfirmation>
element, but that element MUST contain one and only one
<saml:ConfirmationMethod> element."

Under the assumption that there is only and only one
<saml:ConfirmationMethod> element, we define the subject confirmation
part of "S1 strongly matches S2" as follows (to be inserted at line
240):

"If S2 contains a <saml:SubjectConfirmation> element, then S1 MUST
contain a <saml:SubjectConfirmation> element such that the subject
identified by S1 can be confirmed in the manner described by the
<saml:SubjectConfirmation> element in S2."

Note that all of the following must be true:

a) The <saml:ConfirmationMethod> elements of S1 and S2 are equal.

b) If S2 has a <ds:KeyInfo> child element, then S1 has a <ds:KeyInfo>
child element, and moreover, the two <ds:KeyInfo> elements refer to
the same key.

c) If S2 has a <saml:SubjectConfirmationData> element, then S1 has a
<saml:SubjectConfirmationData> element, and the contents of the two
<saml:SubjectConfirmationData> element are equivalent.

If any of the above are not true, S1 does not strongly match S2.

The rest of the profile depends on this definition of "strongly
matches," so I'll stop there and ask if there are any questions or
concerns.

Tom

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]