OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: the saml token profile depends on non-global attributes in keyidentifier/wsse schema does not support keyIdentifier element extensibility

The schema for wsse:KeyIdentifier does not support element extensibility.

The SAML token profile relies on non-global saml attributes (i.e. 
and saml:binding) to format keyIdentifier SecurityTokenReferences.

The non-global attributes could be replaced with the global 
element, if the wsse:KeyIdentifier supported element extensibility.

There are 2 paths forward.

. Modify the wsse:schema to allow any element to be included in 

. use Direct References with  an optional contained AuthorityBinding element
  to reference SAML assertions, when the authority and binding must be 
  to acquire the assertion.

I am working on modifying the profile to take the latter approach, but would
appreciate feedback from the TC.

Any comments?


<xsd:complexType name="KeyIdentifierType">
<xsd:documentation>A security token key identifier</xsd:documentation>
    <xsd:extension base="wsse:EncodedString">
<xsd:attribute name="ValueType" type="xsd:anyURI"/>

Ron Monzillo wrote:

> BTW, in section 3.3, we need to change the way SAML keyIdentifier 
> references
> are composed, as the Binding and Location attributes are not global. 
> Perhaps we can
> use the SAML AuthorityBinding construct, as apposed to its internal 
> attributes.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]