[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: the saml token profile depends on non-global attributes in keyidentifier/wsse schema does not support keyIdentifier element extensibility
The schema for wsse:KeyIdentifier does not support element extensibility.
The SAML token profile relies on non-global saml attributes (i.e.
saml:local
and saml:binding) to format keyIdentifier SecurityTokenReferences.
The non-global attributes could be replaced with the global
saml:AuthorityBinding
element, if the wsse:KeyIdentifier supported element extensibility.
There are 2 paths forward.
. Modify the wsse:schema to allow any element to be included in
keyIdentifiers
. use Direct References with an optional contained AuthorityBinding element
to reference SAML assertions, when the authority and binding must be
sepcified
to acquire the assertion.
I am working on modifying the profile to take the latter approach, but would
appreciate feedback from the TC.
Any comments?
Ron
<xsd:complexType name="KeyIdentifierType">
-
<xsd:annotation>
<xsd:documentation>A security token key identifier</xsd:documentation>
</xsd:annotation>
-
<xsd:simpleContent>
-
<xsd:extension base="wsse:EncodedString">
<xsd:attribute name="ValueType" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
Ron Monzillo wrote:
> BTW, in section 3.3, we need to change the way SAML keyIdentifier
> references
> are composed, as the Binding and Location attributes are not global.
> Perhaps we can
> use the SAML AuthorityBinding construct, as apposed to its internal
> attributes.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]