[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: the saml token profile depends on non-global attributes in keyidentifier/wsse schema does not support keyIdentifier element extensibility
The schema for wsse:KeyIdentifier does not support element extensibility. The SAML token profile relies on non-global saml attributes (i.e. saml:local and saml:binding) to format keyIdentifier SecurityTokenReferences. The non-global attributes could be replaced with the global saml:AuthorityBinding element, if the wsse:KeyIdentifier supported element extensibility. There are 2 paths forward. . Modify the wsse:schema to allow any element to be included in keyIdentifiers . use Direct References with an optional contained AuthorityBinding element to reference SAML assertions, when the authority and binding must be sepcified to acquire the assertion. I am working on modifying the profile to take the latter approach, but would appreciate feedback from the TC. Any comments? Ron <xsd:complexType name="KeyIdentifierType"> - <xsd:annotation> <xsd:documentation>A security token key identifier</xsd:documentation> </xsd:annotation> - <xsd:simpleContent> - <xsd:extension base="wsse:EncodedString"> <xsd:attribute name="ValueType" type="xsd:anyURI"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType> Ron Monzillo wrote: > BTW, in section 3.3, we need to change the way SAML keyIdentifier > references > are composed, as the Binding and Location attributes are not global. > Perhaps we can > use the SAML AuthorityBinding construct, as apposed to its internal > attributes.