On Mon, Mar 30, 2009 at 5:00 PM, Tom Scavo <trscavo@gmail.com> wrote:

Hi Weizhong,

Can you outline why you think the VOMS SAML assertion is not
compatible with the WSS SAML Token Profile?

Thanks,
Tom

PS. The comments quoted below mostly refer to a VOMS SAML assertion
bound to an X.509 proxy certificate (but the requirements are not the
same as a VOMS SAML assertion bound to SOAP header).

On Mon, Mar 30, 2009 at 10:25 AM, weizhong qiang
<weizhongqiang@gmail.com> wrote:
> hi voms folks, all,
> The current voms SAML assertion is not compatible with WS-Security SAML
> Token profile. I would ask is there any plan to change it to make it be
> compatible? I ask this because I think if so, the SAML assertion can be used
> for SOAP message layer authentication, other than just including SAML
> attribute assertion.
>
>
> Thanks
> Weizhong Qiang
>
>
> On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo@gmail.com> wrote:
>>
>> Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A
>> critique (of the SAML, not Benjamin :) follows.
>>
>> - Note that the output is a <samlp:Response> element, not a
>> <saml:Assertion> element. This is wrong. The requester must consume
>> the response. Not sure why this isn't happening.
>>
>> - The value of the <saml:Issuer> element in the response is a DN but
>> the Format XML attribute is missing. This is a bug. The default
>> Format is "unspecified" but clearly this is not.
>>
>> - Second-level status codes are desirable so they can be echoed on the
>> command line (if any).
>>
>> - Same comment about the <saml:Issuer> element in the assertion.
>>
>> - The use of SAML metadata requires that the Format on the
>> <saml:Issuer> element be "entity" but clearly it is not. Thus the use
>> of SAML metadata by the relying party is precluded.
>>
>> - Don't know if Shibboleth/OpenSAML can verify the signature (which is
>> tricky business). This is a future experiment that needs to be done.
>>
>> - The <saml:SubjectConfirmation> element contains a
>> <ds:X509Certificate> element, which precludes the binding of this
>> holder-of-key assertion to a proxy certificate. This is a bug. Use a
>> <ds:X509SubjectName> element instead (which causes the NameID itself
>> to be redundant).
>>
>> - If the assertion is bound to a proxy certificate, the NotBefore and
>> NotOnOrAfter attributes are redundant and superfluous. In fact, they
>> may be wrong since they must agree with the NotBefore and NotOnOrAfter
>> fields of the proxy.
>>
>> - Since the client authenticated directly to the server, a
>> <saml:AuthnStatement> is desirable (not required, but potentially
>> useful at the relying party).
>>
>> - The NameFormat XML attribute on the <saml:Attribute> element should
>> be "uri" not "unspecified".
>>
>> - The "xsi:" prefix on the <saml:AttributeValue> element is undefined.
>> This is a bug.
>>
>> - The <saml:AttributeValue> elements do not conform to the XACML
>> Attribute Profile (actually, I don't think the attributes conform to
>> *any* SAML V2.0 attribute profile).
>>
>> Hope this helps,
>> Tom
>>
>> ---------- Forwarded message ----------
>> From: Benjamin Henne <henne@rvs.uni-hannover.de>
>> Date: Wed, Feb 4, 2009 at 1:59 AM
>> Subject: Re: [gt-user] SAML based VOMS Server
>> To: Tom Scavo <trscavo@gmail.com>
>> Cc: GT User <gt-user@globus.org>
>>
>>
>> <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>> ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6"
>> InResponseTo="_qwertyuiopasdfghjklzxcvbn"
>> IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
>> <saml:Issuer
>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
>> <Status>
>> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>> </Status>
>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"
>> IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
>>
>> <saml:Issuer>CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
>> xs"/></ds:Transform>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> ...
>> </ds:SignatureValue>
>>
>> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
>> <saml:Subject>
>> <saml:NameID
>>
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
>> Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
>> <saml:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
>> <saml:SubjectConfirmationData>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:X509Data>
>> <ds:X509Certificate>...</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </saml:SubjectConfirmationData>
>> </saml:SubjectConfirmation>
>> </saml:Subject>
>> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z"
>> NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
>> <saml:AttributeStatement>
>> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="nationality"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">German</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">/RVS/education</saml:AttributeValue>
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">/RVS</saml:AttributeValue>
>> <saml:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">/RVS/research</saml:AttributeValue>
>> </saml:Attribute>
>> </saml:AttributeStatement>
>> </saml:Assertion>
>> </Response>
>
>