Re: [Pgi-wg] [gridshib-user] comments regarding a VOMS-SAML token--ANY plan to make VOMS SAML assertion be compatible with WS-Security SAML Token profile?
hi, According to the specification of SAML Token profile 1.1 ( http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAM...), I listed the difference as follows, some of the points are trivial . For a SAML Token which is compliant to SAML V1.1: <saml:Assertion xmlns:saml="..." AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2005-05-27T16:53:33.173Z" Issuer=”www.opensaml.org” MajorVersion="1" MinorVersion="1"> <saml:Conditions NotBefore="2005-05-27T16:53:33.173Z" NotOnOrAfter="2005-05-27T16:58:33.17302Z"/> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="www.example.com" Format=“urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectName”> uid=joe,ou=people,ou=saml-demo,o=baltimore.com </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml:ConfirmationMethod> <ds:KeyInfo> <ds:KeyValue>...</ds:KeyValue> </ds:KeyInfo> </saml:SubjectConfirmation> </saml:Subject> <saml:Attribute AttributeName="MemberLevel" AttributeNamespace="http://www.oasis- open.org/Catalyst2002/attributes"> <saml:AttributeValue>gold</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="E-mail" AttributeNamespace=" http://www.oasis-open.org/Catalyst2002/attributes"> <saml:AttributeValue>joe@yahoo.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <ds:Signature>...</ds:Signature> </saml:Assertion> For a SAML Token which is compliant to SAML V2.0: <saml2:Assertion xmlns:saml2="..." xmlns:xsi="..." ID=”_a75adf55-01d7-40cc-929f-dbd8372ebdfc”> <saml2:Subject> <saml2:NameID> ... </saml2:NameID> <saml2:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:holder-of-key”> <saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"> <ds:KeyInfo> <ds:KeyValue>...</ds:KeyValue> </ds:KeyInfo> </saml2:SubjectConfirmationData> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Statement> ... </saml2:Statement> <ds:Signature>...</ds:Signature> </saml2:Assertion> Suppose voms saml assertion uses SAML V2.0 Some comments: 1. The signature for <saml:Reponse> could also be necessary, even though the integrity is guaranteed by TLS. 2. xml attribute xsi:type="saml2:KeyInfoConfirmationDataType" could be necessary for <saml2:SubjectConfirmationData/> 3. <saml:SubjectConfirmation> element contains a <ds:X509Certificate> element, but it probably be better to just contain a <ds:KeyValue>, since the certificates chain of the "subject" is already supposed to be verified by the third-party authority (in this case, it is voms saml service), and then this public key is used to sign the soap message afterwards. For SOAP message verification on the rely-party side, the rely-party do not need to verify the certificates chain of "subject". <ds:KeyValue> is also convinient for proxy certificate, in my opinion. 4. Use <saml:Statement> instead of <saml:AttributeStatement>. Cheers, Weizhong On Mon, Mar 30, 2009 at 5:00 PM, Tom Scavo <trscavo@gmail.com> wrote:
Hi Weizhong,
Can you outline why you think the VOMS SAML assertion is not compatible with the WSS SAML Token Profile?
Thanks, Tom
PS. The comments quoted below mostly refer to a VOMS SAML assertion bound to an X.509 proxy certificate (but the requirements are not the same as a VOMS SAML assertion bound to SOAP header).
On Mon, Mar 30, 2009 at 10:25 AM, weizhong qiang <weizhongqiang@gmail.com> wrote:
hi voms folks, all, The current voms SAML assertion is not compatible with WS-Security SAML Token profile. I would ask is there any plan to change it to make it be compatible? I ask this because I think if so, the SAML assertion can be used for SOAP message layer authentication, other than just including SAML attribute assertion.
Thanks Weizhong Qiang
On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo@gmail.com> wrote:
Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A critique (of the SAML, not Benjamin :) follows.
- Note that the output is a <samlp:Response> element, not a <saml:Assertion> element. This is wrong. The requester must consume the response. Not sure why this isn't happening.
- The value of the <saml:Issuer> element in the response is a DN but the Format XML attribute is missing. This is a bug. The default Format is "unspecified" but clearly this is not.
- Second-level status codes are desirable so they can be echoed on the command line (if any).
- Same comment about the <saml:Issuer> element in the assertion.
- The use of SAML metadata requires that the Format on the <saml:Issuer> element be "entity" but clearly it is not. Thus the use of SAML metadata by the relying party is precluded.
- Don't know if Shibboleth/OpenSAML can verify the signature (which is tricky business). This is a future experiment that needs to be done.
- The <saml:SubjectConfirmation> element contains a <ds:X509Certificate> element, which precludes the binding of this holder-of-key assertion to a proxy certificate. This is a bug. Use a <ds:X509SubjectName> element instead (which causes the NameID itself to be redundant).
- If the assertion is bound to a proxy certificate, the NotBefore and NotOnOrAfter attributes are redundant and superfluous. In fact, they may be wrong since they must agree with the NotBefore and NotOnOrAfter fields of the proxy.
- Since the client authenticated directly to the server, a <saml:AuthnStatement> is desirable (not required, but potentially useful at the relying party).
- The NameFormat XML attribute on the <saml:Attribute> element should be "uri" not "unspecified".
- The "xsi:" prefix on the <saml:AttributeValue> element is undefined. This is a bug.
- The <saml:AttributeValue> elements do not conform to the XACML Attribute Profile (actually, I don't think the attributes conform to *any* SAML V2.0 attribute profile).
Hope this helps, Tom
---------- Forwarded message ---------- From: Benjamin Henne <henne@rvs.uni-hannover.de> Date: Wed, Feb 4, 2009 at 1:59 AM Subject: Re: [gt-user] SAML based VOMS Server To: Tom Scavo <trscavo@gmail.com> Cc: GT User <gt-user@globus.org>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6" InResponseTo="_qwertyuiopasdfghjklzxcvbn" IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=
voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
<Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac" IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
<saml:Issuer>CN=voms3.gridlab.uni-hannover.de ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# "><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject> <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z" NotOnOrAfter="2008-10-17T06:03:57.920Z"/> <saml:AttributeStatement> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="nationality" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">German</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/education</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">/RVS/research</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </Response>
participants (1)
-
weizhong qiang