OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-m-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question to "Web Services Security SAML Token Profile Version 1.1.1" - is the example vor sender-vouches (3.5.2) correct?

Hello @all,

 

actually we are working on an issue depending the signature of a message with the “sender-vouches” confirmation method.

 

What we know:

-          When using “sender-vouches” for a SAML confirmation method, you can use a ds:Signature element to sign SAML and message body.

 

Not clear:

The correct location of the ds:Signature element for “sender-vouches”. Should the ds:Signature be within the SAML Assertion element or can it be outside within the wsse:Security element (where the Assertion is also in).

 

Your example under http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc307397296 part 3.5.2.4 looks like a poorly copied example from the “holder-of-key” example. The confirmation method is wrong and so it’s not clear if there are other copy&paste errors, too.

The description for “holder-of-key” contains explicitly that the SAML Assertion should contain the ds:Signature. The description for “sender-vouches” doesn’t contain such a statement.  

 

Would this be a more correct example:

 

<S12:Envelope xmlns:S12="..." xmlns:wsu="...">

 < S12:Header>

 

   < wsse:Security xmlns:wsse="..." xmlns:wsse11="..." xmlns:ds="...">

     < saml2:Assertion xmlns:saml2="..." xmlns:xsi="..."

 

            ID=”_a75adf55-01d7-40cc-929f-dbd8372ebdfc">

       < saml2:Subject>

               < saml2:NameID>

                     ...

               < /saml2:NameID>

               < saml2:SubjectConfirmation

               Method=”urn:oasis:names:tc:SAML:2.0:cm:sender-vouches”>

              < saml2:SubjectConfirmationData

                                   xsi:type="saml2:KeyInfoConfirmationDataType">

                 < ds:KeyInfo>

                    < ds:KeyValue>…</ds:KeyValue>

                 < /ds:KeyInfo>

              < /saml2:SubjectConfirmationData>

           < /saml2:SubjectConfirmation>

        < /saml2:Subject>

        < saml2:Statement>

                 …

        < /saml2:Statement>

        

     < /saml2:Assertion>

 

     < wsse:SecurityTokenReference wsu:Id=”STR1”

        wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0”>

       < wsse:Reference wsu:Id=”…”

          URI=”https://www.opensaml.org?_a75adf55-01d7-40cc-929f-dbd8372ebdbe”>

       < /wsse:Reference>

     < /wsse:SecurityTokenReference>

 

     < ds:Signature>

       < ds:SignedInfo>

… (continue like in part 3.5.2.4)

 

 

Mit freundlichen Grüßen / Kind regards,

Cornelia Remmicke

 

Im Rahmen des zwischen der Volkswagen AG und der ITARICON GmbH bestehenden Vertragsverhältnisses, wende ich mich mit obenstehendem Anliegen an Sie.

Wenn Sie weitere Fragen haben sollten, können Sie sich jederzeit an Herrn Herbert Franke (herbert2.franke@volkswagen.de) wenden.

 

ITARICON Digital Customer Solutions

_____________________________________________________________

ITARICON GmbH

Wiener Platz 9, 01069 Dresden
Geschäftsführung: Thomas Reppe, Jörg Atai-Nölke, Daniel Kunze
Amtsgericht Dresden HRB 24701

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]