Hi Tom concerning your comment 1b. X.509 authentication is assumed, I am slightly confused by this one. The whole purpose of the OASIS SAML V2.0 Deployment Profiles for X.509 Subjects is that quote "it specifies how a principal who has been issued an X.509 identity certificate is represented as a SAML Subject, how an assertion regarding such a principal is produced and consumed,..." It would therefore be perverse, would it not, to assume that a principal with an X.059 certificate should use any other method to authenticate to the IDP/AA. Your proposed solution does use the X.509 certificate to authenticate, since you need to be sure that the caller possesses the private key that matches the public key in the certificate. Therefore the AA/IDP does know the DN of the user (providing it trusts the CA that issued the cert). If the AA/IDP does not trust the CA, then the user might as well issue self signed certificates. But the OASIS spec says "has been issued an X.509 certificate" so we can assume that the CA is known and trusted. But what you appear to be concerned about is that the public key and DN in the certificate are unknown to the IDP/AA, therefore the latter is unable to authenticate the caller *as being one of its existing users*, so does not know which attributes to release to him/her. But the IDP/AA can still authenticate the user. It is just that the user is unknown to it. Therefore one solution would be for the CA that issued the presumably short lived certificate with a random DN (if it was a long lived certificate then the AA/IDP could use the DN as its user identifier) to also insert into the certificate the username/identifier of the user that is known to the AA/IDP. In this way the AA/IDP can know that the caller holds the private key, and is known by the particular username in the certificate. Would this solve your problem? regards David Tom Scavo wrote:
Please find attached some comments regarding the "Use of SAML to Retrieve Authorization Credentials." I haven't fully reviewed this document, but these are the comments I can offer at this time.
Tom Scavo NCSA
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************