OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: R: Token correlation (Nate's summary)

Here is my consideration to one of the observations raised during the call, I think done by Thomas: "it isn't correct to link two SAMLs, because in that way you link the SAML also to the context, the SAML should be valid independently from the context in which it is used".

SAML-Y is valid independently from the context, the <token-correlation> condition doesn't specify  SAML-X, it doesn't specify that SAML-X has to be linked to SAML-Y, it specifies an ID, it specifies that it can be linked to every SAML that have the same ID in the <subject> element.

SAML-Y is valid also if it is linked to SAML-Z, also to SAML-W, the constraint is that
SAML-Y.<token-correlation>==SAM-K.<subject>.

SAML-Y can be used many times with different SAML-K, until it expires.

/Federico/

-----Messaggio originale-----
Da: Thomas Hardjono [mailto:hardjono@MIT.EDU]
Inviato: marted́ 13 luglio 2010 19.35
A: OASIS SSTC
Cc: Rossini Federico; ndk@internet2.edu; Thomas Hardjono
Oggetto: Token correlation (Nate's summary)

Federico,

Thank you for presenting your work today to the SSTC.  We would like to hear regular updates about it.

Here is Nate's summary in today's SSTC call:

- The Token Correlation proposal makes sense.
- Use the Condition element.  There are at least 2 choices
  for linking assertion SAML-X with SAML-Y:
  (a) Put a pointer (to SAML-X) inside SAML-Y, or
  (b) Put the entire SAML-X assertion inside SAML-Y.
- Better (preferred) if both SAML-X and SAML-Y assertions
  are valid when they reach the Service provider.

Nate, did I miss anything?

/thomas/


__________________________________________



Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]