[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx-comment] Request Security Token Response Collection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
This means that if I have only a round trip for issuing a SAML token
for instance,
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</
wst:TokenType>
</wst:RequestSecurityToken>
and the response:
<wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
" Context="urn:uuid:3A363C8D1FAAA58B081233151366704">
<wst:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" ID="_d4e5f9c06806a4de10c392fd0cff9add"
IssueInstant="2009-01-28T14:03:07.991Z" Version="2.0"> ...
is NOT correct, since it is a final leg.
It MUST be something like:
<wstRequestSecurityTokenResponseCollection>
<wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
" Context="urn:uuid:3A363C8D1FAAA58B081233151366704">
<wst:RequestedSecurityToken>
<saml:Assertion ... >
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
am I wrong? If yes, I would suggest to clarify (maybe with an example)
a bit more the document.
Thanks,
Massimiliano
Il giorno 27/gen/09, alle ore 18:05, Marc Goodner ha scritto:
> RSTRC is a MUST on the final response only. See section 3.2.
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953
>
> Section 4.3 does also mention RSTRC is a MUST on the final response,
> I don't see that in the text you quote below. Here is the text from
> the spec:
> "The <wst:RequestSecurityTokenResponseCollection> element (RSTRC)
> MUST be used to return a security token or response to a security
> token request on the final response."
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064960
>
> The note that RSTRC is a must for the final response only is
> important for the challenge/nego extensions covered in section 8.
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953
>
> In these interactions the exchange pattern is RTR -> RSTR -> RSTR ->
> RSTRC. The RSTR -> RSTR interaction is not limited to a single
> response/reply, thus RSTRC is used to remove any ambiguity and
> signal that the interaction is complete. It was determined that
> RSTRC should always be used on the final response even when there
> was no challenge/nego in play or even only a single token was
> returned. It made the overall model in the protocol more consistent.
> I agree it was one of the biggest changes from the input spec.
>
> Also, the schema is non-deterministic as it is has a number of
> extensibility points. It alone cannot be used to determine if a
> message is correct or not.
>
> -----Original Message-----
> From: Massimiliano Masi [mailto:Massimiliano.Masi@tiani-spirit.com]
> Sent: Monday, January 26, 2009 1:48 AM
> To: ws-sx-comment@lists.oasis-open.org
> Subject: [ws-sx-comment] Request Security Token Response Collection
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I am a bit confused on the WS-Trust 1.3 spec. In section 4.3,
>
> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
> be used to return a security token.
>
> This means that an RSTR like:
>
> <soap:Body>
> <wst:RequestSecurityTokenResponse>
> <wst:RequestedSecurityToken>
> <xyz:CustomToken>
>
>
> is not valid? The schema correctly parses it.
>
> Why you need to use a RSTRC even for 1 token? It's a big change
> from ws-trust 1.0.
>
> Ciao,
>
> Massimiliano
>
> - --
> Massimiliano Masi
>
> Tiani "Spirit" GmbH
> Guglgasse 6
> Gasometer A
> 1110 Vienna
> Austria/Europe
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkl9hs8ACgkQaCwPO3A6yMaa9ACfSW7KHMWFI5bvgjyQMJSNTIt5
> 2Q0AnjAkP6KOJKoOfOL+91ibTCu5chr7
> =/Ow6
> -----END PGP SIGNATURE-----
>
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
>
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> List help: ws-sx-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
>
>
>
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
>
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> List help: ws-sx-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
>
- --
Massimiliano Masi
Tiani "Spirit" GmbH
Guglgasse 6
Gasometer A
1110 Vienna
Austria/Europe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmAcAYACgkQaCwPO3A6yMZvGACfc+WEEaxT+HGHN6ohRxqQKBQX
PGUAniXJp4EDzbl7xW/XOA7bVMqB4y84
=nS9E
-----END PGP SIGNATURE-----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]