OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Draft: SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0

Hello SSTC,

A newer draft of the SAML2/OAuth2 profile is available at

I've tried to address the comments made by TC members (thanks again
especially to Scott) on a previous version of the draft when I
solicited input from on this list back in July/Aug of last year.  That
feedback was very helpful so I thought I'd ask for your valuable input
again.  If you can find a few spare cycles, I'd very much appropriate
review and feedback on this latest draft.   As standards go it's not
very long, especially if you ignore the boiler plate text and
references, maybe that will help entice you to give it a read :)

Thank you,
Brian Campbell

As a cheat-sheet of sorts, here is a copy of the informal change log
from Appendix B:


   o  Added Parameter Registration Request for "assertion" to IANA

   o  Changed document name to draft-ietf-oauth-saml2-bearer in
      anticipation of becoming a OAUTH WG item.

   o  Attempt to move the entire definition of the 'assertion' parameter
      into this draft (it will no longer be defined in OAuth 2 Protocol


   o  Updated to reference draft-ietf-oauth-v2-11 and reflect changes
      from -10 to -11.

   o  Updated examples.

   o  Relaxed processing rules to allow for more than one
      SubjectConfirmation element.

   o  Removed the 'MUST NOT contain a NotBefore attribute' on

   o  Relaxed wording that ties the subject of the Assertion to the
      resource owner.

   o  Added some wording about identifying the client when the subject
      hasn't directly authenticated including an informative reference
      to SAML V2.0 Condition for Delegation Restriction.

   o  Added a few examples to the language about verifying that the
      Assertion is valid in all other respects.

   o  Added some wording to the introduction about the similarities to
      Web SSO in the format and processing rules

   o  Changed the grant_type (was assertion_type) URI from
      http://oauth.net/assertion_type/saml/2.0/bearer to

   o  Changed title to include "Grant Type" in it.

   o  Editorial updates based on feedback from the WG and others
      (including capitalization of Assertion when referring to SAML).


   o  Initial I-D

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]