OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: question on namespace definitions from ancestor element

A question from the SAML IOP test event has arisen. Any guidance would be appreciated.

 

Must an Assertion element be constructed so that it can be validated as a standalone element, outside of the enclosing Response element, with respect to its namespace definition? Or, should the SP be able to obtain the namespace definition from the Response ancestor if the prefix is defined in PrefixList attribute of the InclusiveNamespaces element. One of the parties involved cited section 5.4.3 of SAML Core that the assertion should be validated independent of the Response.

 

Below is the Response in question. Key part is the prefix “xmlns:xs="http://www.w3.org/2001/XMLSchema” defined in the Response element and used later in an Attribute found in the Assertion.

 

 

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" …// Cut out rest of the attributes>

 

<saml:Assertion ID="Assertion-uuid7ebdc94e-0122-112e-8a00-a4a0d87c9b31" IssueInstant="2009-07-15T14:08:02Z" Version="2.0">

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="uuid7ebdc964-0122-1d1f-8bcd-a4a0d87c9b31"><ds:SignedInfo>

 

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#Assertion-uuid7ebdc94e-0122-112e-8a00-a4a0d87c9b31">

 

<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsi xs saml"></xc14n:InclusiveNamespaces></ds:Transform></ds:Transforms>

 

...// Rest of the Signature element

...// More parts of the Assertion

 

<saml:AttributeStatement>

<saml:Attribute Name="us:gov:e-authentication:basic:assuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue></saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion></samlp:Response>

 

Kyle Meadors

Drummond Group Inc.

Principal, Test Process

817-709-1627

kyle@drummondgroup.com

 

Calendar: http://tinyurl.com/KyleMeadors-DGI-Calendar

 

* * * * * * * * * * * * * * * * * * * * * * * *

CONFIDENTIALITY DISCLAIMER

This email, including attachments, is confidential and proprietary. It constitutes exclusive communication solely to the addressee. Any entity other than the intended addressee is prohibited from use of this communication for any purpose. This email, including attachments, may not be distributed, whole or in part.

* * * * * * * * * * * * * * * * * * * * * * * *

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]