[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss-comment] Problem with Sender Vouchers example in SAML TokenProfile 1.0 and 1.1
Tom Scavo wrote: > On Tue, Nov 11, 2008 at 7:58 PM, Glen Mazza <glen.mazza@gmail.com> wrote: > >>The Sender-Vouchers SAML example in both the SAML Token Profile 1.0 and in >>1.1 appears to be in error--the configuration is using the holder-of-key URN >>not the sender-vouches one. >> >>Links [1] (Question #4) and [2] explain the issue. > > > The conclusions of the above thread are basically correct. Perhaps > this doc may also help: > > http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation > > >>It would be nice if the docs could be updated to remove the confusion. > > > Not likely since the WSS TC is closed. > Please look at the examples in the WSS STP more closely. The examples being referred to depict the use of SAML tokens to allow one party (aka, the sender) to attest (i.e., vouch for) for another. There are 2 SAML assertions. The assertion (referrenced by STR2) corresponds to the sender and is HOK confirmed . The assertion that correspomds to the party being vouched for (as referrenced by STR1) is SV confirmed. The sender is using its key to sign and thus bind the SV confirmed assertion to the message. As such, the sender is using its key to vouch for the claims appering in the SV confirmed assertion (which apply to another entity). The HOK assertion of the sender could be replaced with the X509 cert of the sender, and the effect would be equivalent. The example shows how the same effect can be achieved using only SAML assertions. The example also shows the use of the STR transform during signing of the vouched for assertion, and as such the vouched for assertion does not occur in the message. In retrospect, including the vouched for assertion in the msg (and depicted the use of the STR transform in another example) would have simplified the example, and allowed folks to recognize the presence of the SV confirmed assertion. Ron >>Regards, >>Glen > > > Tom Scavo > > >>[1] http://tinyurl.com/59ucl6 >>[2] http://tinyurl.com/6j89gp > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]