On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo
<trscavo@gmail.com> wrote:
Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A
critique (of the SAML, not Benjamin :) follows.
- Note that the output is a <samlp:Response> element, not a
<saml:Assertion> element. This is wrong. The requester must consume
the response. Not sure why this isn't happening.
- The value of the <saml:Issuer> element in the response is a DN but
the Format XML attribute is missing. This is a bug. The default
Format is "unspecified" but clearly this is not.
- Second-level status codes are desirable so they can be echoed on the
command line (if any).
- Same comment about the <saml:Issuer> element in the assertion.
- The use of SAML metadata requires that the Format on the
<saml:Issuer> element be "entity" but clearly it is not. Thus the use
of SAML metadata by the relying party is precluded.
- Don't know if Shibboleth/OpenSAML can verify the signature (which is
tricky business). This is a future experiment that needs to be done.
- The <saml:SubjectConfirmation> element contains a
<ds:X509Certificate> element, which precludes the binding of this
holder-of-key assertion to a proxy certificate. This is a bug. Use a
<ds:X509SubjectName> element instead (which causes the NameID itself
to be redundant).
- If the assertion is bound to a proxy certificate, the NotBefore and
NotOnOrAfter attributes are redundant and superfluous. In fact, they
may be wrong since they must agree with the NotBefore and NotOnOrAfter
fields of the proxy.
- Since the client authenticated directly to the server, a
<saml:AuthnStatement> is desirable (not required, but potentially
useful at the relying party).
- The NameFormat XML attribute on the <saml:Attribute> element should
be "uri" not "unspecified".
- The "xsi:" prefix on the <saml:AttributeValue> element is undefined.
This is a bug.
- The <saml:AttributeValue> elements do not conform to the XACML
Attribute Profile (actually, I don't think the attributes conform to
*any* SAML V2.0 attribute profile).
Hope this helps,
Tom
---------- Forwarded message ----------
From: Benjamin Henne <henne@rvs.uni-hannover.de>
Date: Wed, Feb 4, 2009 at 1:59 AM
Subject: Re: [gt-user] SAML based VOMS Server
To: Tom Scavo <trscavo@gmail.com>
Cc: GT User <gt-user@globus.org>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6"
InResponseTo="_qwertyuiopasdfghjklzxcvbn"
IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"
IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
<saml:Issuer>CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2008-10-16T19:03:57.920Z"
NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
<saml:AttributeStatement>
<saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="nationality"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">German</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://voms.forge.cnaf.infn.it/group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">/RVS/education</saml:AttributeValue>
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">/RVS</saml:AttributeValue>
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">/RVS/research</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</Response>