[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Correction to my diatribe about assertion Subjects on last call
On Thu, Nov 20, 2008 at 1:38 PM, Nate Klingenstein <ndk@internet2.edu> wrote: > So, here's the text I'd propose for draft -10: > > ● The <saml:Subject> element of every assertion returned MUST refer to > the principal. It is allowable for the content of the <saml:Subject> > elements to differ, e.g. using a different <saml:NameID> or > <saml:SubjectConfirmation> elements. > ● The set of one or more assertions MUST contain at least one > <saml:AuthnStatement> that reflects the authentication of the principal to > the identity provider. "one or more holder-of-key assertions" > ● Any assertion issued for consumption using this profile MUST be a > holder-of-key assertion as defined in [SAML2HoKAP] and adhere to section 1.4 > therein. If the <samlp:AuthnRequest> does not contain a <saml:Subject> with > a <saml:SubjectConfirmation>, and the service provider does not indicate > otherwise, such as through metadata, How is this done with metadata? > every assertion in the response MUST > contain a <ds:X509Certificate> element in its <ds:X509Data>. This > certificate SHOULD be DER-encoded. Strike that last sentence. There is no requirement that the assertion be DER-encoded. > Other certificate information MAY be > included in additional child elements of <ds:X509Data>. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]