Re: [wss] Comments on SAML Token Profile

[Ron Monzillo <Ronald.Monzillo@Sun.COM>]

Anthony Nadalin wrote:

> We ran into some inconsistencies while participating in the recent 
> SAML interop. The WSS core specification describes a "Direct 
> Reference" mechanism to be used with STRs. A Reference element with a 
> URI attribute is used. When the referenced token is located within the 
> Security header, the URI contains a shorthand XPointer reference to 
> the token. In order for this to work, the token element must contain 
> an attribute of type ID. WSS defines the wsu:Id attribute with type ID 
> for naming the reference. Direct references within the message should 
> not require token specific methods so we suggest the following actions 
> be taken:
>
> 1) Errata to the WSS core to make it clear the tokens must have an 
> attribute named wsu:Id.
> 2) Change to the SAML Token Profile to use an wsu:Id attribute or use 
> a wsse:KeyIdentifier
>
These changes are not a good idea.

The wsu:id attribute was defined for use as a convenience where new shema
elements are being defined, or with elements which support attribute 
extensibility
and which do not already include an id attribute.

The only constraint on using an STR Direct Reference with a fragment 
containing
an id value is that the thing being referenced must have an attribute of 
type id.

In SAML V1.1 the  AssertionID attribute so qualifies, that is:

<attribute name="AssertionID" type="ID" use="required"/>

Ron

PS: I also concurr with Rich Levinson

> In particular, the ValueType attribute (lines 702-708) appears to be 
> intended
> to provide token-specific processing rules to be applied in 
> conjunction with
> the URI attribute. In the case of SAML 1.1 assertions, the SAML ValueType
> indicates that the saml:AssertionID should be treated as an XML ID type
> attribute.

>
> Anthony Nadalin | work 512.838.0085 | cell 512.289.4122
>