[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx-comment] Request Security Token Response Collection
I believe you are correct. There are examples in the document, but they are next to the specific parts of the protocol they describe. For the request see section 4.1, request collection in 4.2. For the response see 4.4.4 through 4.4.10.
-----Original Message-----
From: Massimiliano Masi [mailto:Massimiliano.Masi@tiani-spirit.com]
Sent: Wednesday, January 28, 2009 6:48 AM
To: Marc Goodner
Cc: ws-sx-comment@lists.oasis-open.org
Subject: Re: [ws-sx-comment] Request Security Token Response Collection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
This means that if I have only a round trip for issuing a SAML token
for instance,
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</
wst:TokenType>
</wst:RequestSecurityToken>
and the response:
<wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
" Context="urn:uuid:3A363C8D1FAAA58B081233151366704">
<wst:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" ID="_d4e5f9c06806a4de10c392fd0cff9add"
IssueInstant="2009-01-28T14:03:07.991Z" Version="2.0"> ...
is NOT correct, since it is a final leg.
It MUST be something like:
<wstRequestSecurityTokenResponseCollection>
<wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
" Context="urn:uuid:3A363C8D1FAAA58B081233151366704">
<wst:RequestedSecurityToken>
<saml:Assertion ... >
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
am I wrong? If yes, I would suggest to clarify (maybe with an example)
a bit more the document.
Thanks,
Massimiliano
Il giorno 27/gen/09, alle ore 18:05, Marc Goodner ha scritto:
> RSTRC is a MUST on the final response only. See section 3.2.
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953
>
> Section 4.3 does also mention RSTRC is a MUST on the final response,
> I don't see that in the text you quote below. Here is the text from
> the spec:
> "The <wst:RequestSecurityTokenResponseCollection> element (RSTRC)
> MUST be used to return a security token or response to a security
> token request on the final response."
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064960
>
> The note that RSTRC is a must for the final response only is
> important for the challenge/nego extensions covered in section 8.
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064953
>
> In these interactions the exchange pattern is RTR -> RSTR -> RSTR ->
> RSTRC. The RSTR -> RSTR interaction is not limited to a single
> response/reply, thus RSTRC is used to remove any ambiguity and
> signal that the interaction is complete. It was determined that
> RSTRC should always be used on the final response even when there
> was no challenge/nego in play or even only a single token was
> returned. It made the overall model in the protocol more consistent.
> I agree it was one of the biggest changes from the input spec.
>
> Also, the schema is non-deterministic as it is has a number of
> extensibility points. It alone cannot be used to determine if a
> message is correct or not.
>
> -----Original Message-----
> From: Massimiliano Masi [mailto:Massimiliano.Masi@tiani-spirit.com]
> Sent: Monday, January 26, 2009 1:48 AM
> To: ws-sx-comment@lists.oasis-open.org
> Subject: [ws-sx-comment] Request Security Token Response Collection
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I am a bit confused on the WS-Trust 1.3 spec. In section 4.3,
>
> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
> be used to return a security token.
>
> This means that an RSTR like:
>
> <soap:Body>
> <wst:RequestSecurityTokenResponse>
> <wst:RequestedSecurityToken>
> <xyz:CustomToken>
>
>
> is not valid? The schema correctly parses it.
>
> Why you need to use a RSTRC even for 1 token? It's a big change
> from ws-trust 1.0.
>
> Ciao,
>
> Massimiliano
>
> - --
> Massimiliano Masi
>
> Tiani "Spirit" GmbH
> Guglgasse 6
> Gasometer A
> 1110 Vienna
> Austria/Europe
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkl9hs8ACgkQaCwPO3A6yMaa9ACfSW7KHMWFI5bvgjyQMJSNTIt5
> 2Q0AnjAkP6KOJKoOfOL+91ibTCu5chr7
> =/Ow6
> -----END PGP SIGNATURE-----
>
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
>
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> List help: ws-sx-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
>
>
>
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
>
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> List help: ws-sx-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx
>
- --
Massimiliano Masi
Tiani "Spirit" GmbH
Guglgasse 6
Gasometer A
1110 Vienna
Austria/Europe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmAcAYACgkQaCwPO3A6yMZvGACfc+WEEaxT+HGHN6ohRxqQKBQX
PGUAniXJp4EDzbl7xW/XOA7bVMqB4y84
=nS9E
-----END PGP SIGNATURE-----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]