mace-opensaml-users - RE: A suggestion about digital signatures
Subject: OpenSAML user discussion
List archive
- From: Massimiliano Masi <>
- To:
- Subject: RE: A suggestion about digital signatures
- Date: Thu, 20 Sep 2007 10:56:33 +0200
Hi,
Quoting George Stanchev
<>:
I don't think it's generally acceptable to send two assertions in one
token element, no.
I decided to put two assertions in WS-Trust <RequestSecurityTokenResponse/>
element mainly for two reasons:
1) The assertions are issued by two different entities, the Identity Provider
and the Attribute Authority. The identity Provider shouldn't know which
attributes are needed by the Service Provider and attributes couldn't be
resolved at login time. But the response of the security token comes
from an identity provider and is signed by him so it could also be
possible that the Authentication Assertion contains also the attribute
statements and the IdP signs the whole assertion, like this:
<RequestedSecurityToken>
<saml:Assertion>
<... authn info ... >
<... attribute info ...>
</saml:Assertion>
</RequestedSecurityToken>
Also the solution to return a collection of token is good: if I can resolve
attributes the return the collection, otherwise return with a normal
RequestedSecurityToken element.
I think that both solution are equivalent, no? If the client receives
an assertion that contains attributes signed by the IdP only he is aware
of the attribute authority, but another service provider should
need to trust in one specific attribute authority.
I've no idea how to proceed...
And also when Scott says that since no profile are specified, one can
put everything inside a token.
I thinl that I'll return with the collection.
2) Since assertion once obtained must be carried in the wsse:Security element,
the wsse saml profile says:
When a receiver processes a <wsse:Security> header containing or referencing
SAML assertions, it selects, based on its policy, the signatures and
assertions that it will process.
So assertionS, plural... :-) This is the reason of my concerns.
I found the example in the mailing list:
https://mail.internet2.edu/wws/arc/mace-opensaml-users/2007-06/msg00033.html
Thank you,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
- A suggestion about digital signatures, Massimiliano Masi, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/20/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/21/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/23/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- Re: A suggestion about digital signatures, Brent Putman, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
Archive powered by MHonArc 2.6.16.