OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Request for clarification regarding simple-sign spec

Hi, I'm using simple-sign to secure SAML messages between two servers. 
In this case neither server wants to deal with full XML signatures 
(flames off-list are fine:). My question is in regard to the following 
paragraph from section 2.4.

> If the SAML protocol message is signed using SimpleSign, the 
> Destination XML attribute in the root
> SAML element of the SAML protocol message MUST contain the URL to 
> which the sender has instructed
> the user agent to deliver the message. The recipient MUST then verify 
> that the value matches the location
> at which the SAML protocol message has been received. Also, the 
> signer's certificate or other keying
> information MAY be included in a form control named KeyInfo. This form 
> control, if present, MUST
> contain a base-64 encoded <ds:KeyInfo> element [XMLSig] (base-64 
> encoding is done as in step 1,
> above).
Since the message is NOT being passed through a user agent, does this 
still apply? I can see the Destination attribute being useful on the 
initial request message (in our case an AuthnRequest) but not on the 
Response as that data is just the return of the HTTP request. However, 
the spec says it's a MUST. How does the receiving server know the 
endpoint at the sender when it's just responding to an HTTP request?

Can we consider our implementation compliant if it's specified on the 
AuthnRequest but not on the Response?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]