comments for Use of SAML to Retrieve Authorization Credentials
I have summarized in a wiki page the comments and answers received on 'Use of SAML to Retrieve Authorization Credentials' https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/Ans... If everything is ok I'll do the integration and upload a new draft. Valerio
Comments re the answers to comments: Item 1: - s/Consent parameter/Consent attribute/ - The Consent attribute MUST be present in the request since the attribute value defaults to "unspecified", which is not what we want. - Note that SAML2Core requires the request to be signed (lines 1511--1512). Item 2: - The assertion in the appendix is just an example. The profile should specify the content of the <saml:SubjectConfirmation> element by referring normatively to SAMLHoK. Item 3: - This implies that SAMLX509SelfQry is not sufficient. As an alternative, refer normatively to the SAML V2.0 Holder-of-Key Assertion Request Profiles. Item 4: none Item 5: none Item 6: - If the requester is the subject, the following requirements MUST be satisfied: 1. The value of the <saml:Issuer> element in the request MUST be the subject distinguished name (DN) of the presented certificate (see the Holder-of-Key Assertion Request Profiles). 2. The value of the Consent attribute SHOULD be "urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be specified in draft-02 of the Holder-of-Key Assertion Request Profiles). Tom Scavo NCSA On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
I have summarized in a wiki page the comments and answers received on 'Use of SAML to Retrieve Authorization Credentials' https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/Ans...
If everything is ok I'll do the integration and upload a new draft.
Valerio
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Integrated. Thanks Tom. Valerio On Thu, 2009-05-21 at 20:36 -0500, Tom Scavo wrote:
Comments re the answers to comments:
Item 1:
- s/Consent parameter/Consent attribute/ - The Consent attribute MUST be present in the request since the attribute value defaults to "unspecified", which is not what we want. - Note that SAML2Core requires the request to be signed (lines 1511--1512).
Item 2:
- The assertion in the appendix is just an example. The profile should specify the content of the <saml:SubjectConfirmation> element by referring normatively to SAMLHoK.
Item 3:
- This implies that SAMLX509SelfQry is not sufficient. As an alternative, refer normatively to the SAML V2.0 Holder-of-Key Assertion Request Profiles.
Item 4:
none
Item 5:
none
Item 6:
- If the requester is the subject, the following requirements MUST be satisfied:
1. The value of the <saml:Issuer> element in the request MUST be the subject distinguished name (DN) of the presented certificate (see the Holder-of-Key Assertion Request Profiles).
2. The value of the Consent attribute SHOULD be "urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be specified in draft-02 of the Holder-of-Key Assertion Request Profiles).
Tom Scavo NCSA
On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
I have summarized in a wiki page the comments and answers received on 'Use of SAML to Retrieve Authorization Credentials' https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/Ans...
If everything is ok I'll do the integration and upload a new draft.
Valerio
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
On Mon, Jun 8, 2009 at 9:33 AM, Valerio Venturi<valerio.venturi@cnaf.infn.it> wrote:
Integrated. Thanks Tom.
Thanks, Valerio. Note also that Draft-02 of the SAML V2.0 Holder-of-Key Assertion Request Profiles has been submitted to the OASIS SSTC: http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest This draft includes the new Consent attribute value that you mention in your notes.
On Thu, 2009-05-21 at 20:36 -0500, Tom Scavo wrote:
Comments re the answers to comments:
Item 1:
- s/Consent parameter/Consent attribute/ - The Consent attribute MUST be present in the request since the attribute value defaults to "unspecified", which is not what we want. - Note that SAML2Core requires the request to be signed (lines 1511--1512).
Item 2:
- The assertion in the appendix is just an example. The profile should specify the content of the <saml:SubjectConfirmation> element by referring normatively to SAMLHoK.
Item 3:
- This implies that SAMLX509SelfQry is not sufficient. As an alternative, refer normatively to the SAML V2.0 Holder-of-Key Assertion Request Profiles.
Item 4:
none
Item 5:
none
Item 6:
- If the requester is the subject, the following requirements MUST be satisfied:
1. The value of the <saml:Issuer> element in the request MUST be the subject distinguished name (DN) of the presented certificate (see the Holder-of-Key Assertion Request Profiles).
2. The value of the Consent attribute SHOULD be "urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be specified in draft-02 of the Holder-of-Key Assertion Request Profiles).
Tom Scavo NCSA
On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
I have summarized in a wiki page the comments and answers received on 'Use of SAML to Retrieve Authorization Credentials' https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/Ans...
If everything is ok I'll do the integration and upload a new draft.
Valerio
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
participants (2)
-
Tom Scavo -
Valerio Venturi