[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: my ballot for GROUPS 6, 7, 8, 9
>>>>> "MP" == Mishra, Prateek <pmishra@netegrity.com> writes:
MP> Some care is needed on this issue. Are we proposing to build a
MP> general packaging infra-structure so SAML can "enclose"
MP> arbitrary XML payloads?? To me that seems to be far beyond the
MP> scope (and resources) of this group.
I disagree about the difficulty of implementing this. It seems that
<extension> types, as used in AuthXML, would be totally sufficient for
enveloping data.
For example, take this hypothetical message for requesting
authorization to use a resource (push model SSO), which includes some
info about the user's current color preferences in an Extension:
<HypotheticalAuthZRequestMessage>
<AuthNDataPlusAuthZAttributes>
[...]
</AuthNDataPlusAuthZAttributes>
[...Other SAML Message Stuff...]
<Extension xmlns:prefs="blahblahblah">
<prefs:BackgroundColor>lime green</prefs:BackgroundColor>
</Extension>
</HypotheticalAuthZRequestMessage>
Here, the request message envelopes data from another namespace,
fairly straightforwardly. Without this kind of piggybacking, the data
is going to have to be sent through another (probably custom)
protocol, with some kind of reference to the identity of the
subject.
Similarly, data could be attached to an assertion, like:
<AuthNDataPlusAuthZAttributes>
<Name>Evan</Name>
<Rank>...</Rank>
<SerialNumber>0</SerialNumber>
<Extension xmlns:xface="blahblahandalsoblah">
<xface:data>
,g%"s<[u6Q6D*^>I)#,vi>V"A^D?MvkJMqVf]W]CHsD*{DdN|)"|#.=JC648WQDJO5^+.-!
]5Ff;$uEOKPq2CjF:?";[Hn=pjFzy!R5he8;Gq&~Rp9^R4\="q@~95,u`N2Mst@;/Ie1nJ,0+FyA>T
CO\<%I%)A0g|J\9#:/]v{9X-Ab\bA[zi*^L}]?=jM,hn18^FqA}IRw+O9z]bFZ%pkySg#Z{E6}7R<o
O]e/
</xface:data>
</Extension>
</AuthNDataPlusAuthZAttributes>
Here, the assertion of the subject's identity is accompanied by a
tiny, low-res, grainy picture of subject according to the X-Face
standard.
I think for SAML to be extensible at all, it's going to need to have
extension items. And if it has extension items, we can do enveloping.
There is, of course, a conceptual difference between an extension to
the SAML standard and a payload orthogonal to security
issues. However, it seems to me that the same mechanism can be used to
provide both types of functionality. (With later versions of AuthXML,
a flag was added to an extension to indicate if the extension was
crucial to the surrounding element, or could be ignored.)
~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC