[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx-comment] Request Security Token Response Collection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, This means that if I have only a round trip for issuing a SAML token for instance, <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512 "> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</ wst:TokenType> </wst:RequestSecurityToken> and the response: <wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512 " Context="urn:uuid:3A363C8D1FAAA58B081233151366704"> <wst:RequestedSecurityToken> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML: 2.0:assertion" ID="_d4e5f9c06806a4de10c392fd0cff9add" IssueInstant="2009-01-28T14:03:07.991Z" Version="2.0"> ... is NOT correct, since it is a final leg. It MUST be something like: <wstRequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512 " Context="urn:uuid:3A363C8D1FAAA58B081233151366704"> <wst:RequestedSecurityToken> <saml:Assertion ... > </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> am I wrong? If yes, I would suggest to clarify (maybe with an example) a bit more the document. Thanks, Massimiliano Il giorno 27/gen/09, alle ore 18:05, Marc Goodner ha scritto: > RSTRC is a MUST on the final response only. See section 3.2. > http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953 > > Section 4.3 does also mention RSTRC is a MUST on the final response, > I don't see that in the text you quote below. Here is the text from > the spec: > "The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) > MUST be used to return a security token or response to a security > token request on the final response." > http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064960 > > The note that RSTRC is a must for the final response only is > important for the challenge/nego extensions covered in section 8. > http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953 > > In these interactions the exchange pattern is RTR -> RSTR -> RSTR -> > RSTRC. The RSTR -> RSTR interaction is not limited to a single > response/reply, thus RSTRC is used to remove any ambiguity and > signal that the interaction is complete. It was determined that > RSTRC should always be used on the final response even when there > was no challenge/nego in play or even only a single token was > returned. It made the overall model in the protocol more consistent. > I agree it was one of the biggest changes from the input spec. > > Also, the schema is non-deterministic as it is has a number of > extensibility points. It alone cannot be used to determine if a > message is correct or not. > > -----Original Message----- > From: Massimiliano Masi [mailto:Massimiliano.Masi@tiani-spirit.com] > Sent: Monday, January 26, 2009 1:48 AM > To: ws-sx-comment@lists.oasis-open.org > Subject: [ws-sx-comment] Request Security Token Response Collection > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I am a bit confused on the WS-Trust 1.3 spec. In section 4.3, > > The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST > be used to return a security token. > > This means that an RSTR like: > > <soap:Body> > <wst:RequestSecurityTokenResponse> > <wst:RequestedSecurityToken> > <xyz:CustomToken> > > > is not valid? The schema correctly parses it. > > Why you need to use a RSTRC even for 1 token? It's a big change > from ws-trust 1.0. > > Ciao, > > Massimiliano > > - -- > Massimiliano Masi > > Tiani "Spirit" GmbH > Guglgasse 6 > Gasometer A > 1110 Vienna > Austria/Europe > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAkl9hs8ACgkQaCwPO3A6yMaa9ACfSW7KHMWFI5bvgjyQMJSNTIt5 > 2Q0AnjAkP6KOJKoOfOL+91ibTCu5chr7 > =/Ow6 > -----END PGP SIGNATURE----- > > -- > This publicly archived list offers a means to provide input to the > OASIS Web Services Secure Exchange (WS-SX) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > List help: ws-sx-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx > > > > -- > This publicly archived list offers a means to provide input to the > OASIS Web Services Secure Exchange (WS-SX) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > List help: ws-sx-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx > - -- Massimiliano Masi Tiani "Spirit" GmbH Guglgasse 6 Gasometer A 1110 Vienna Austria/Europe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmAcAYACgkQaCwPO3A6yMZvGACfc+WEEaxT+HGHN6ohRxqQKBQX PGUAniXJp4EDzbl7xW/XOA7bVMqB4y84 =nS9E -----END PGP SIGNATURE-----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]