mace-opensaml-users - RE: A suggestion about digital signatures
Subject: OpenSAML user discussion
List archive
- From: Massimiliano Masi <>
- To:
- Subject: RE: A suggestion about digital signatures
- Date: Sat, 22 Sep 2007 15:57:06 +0200
Hi Scott,
Quoting Scott Cantor
<>:
WS-Trust message elements don't belong in headers. I've seen them do it, but
I think it looks ridiculous. What you were dealing with is how to return
them from the WS-Trust server, and that's not in a header, it's the body.
Yes, sorry, this was my fault with the language! :-)
I agree with you, for sure! :-) My situation (just for an explanation)
is the following:
I have the Tokens returned by WS-Trust and I have to put them in
the wsse:Security element to forward them to another webservice call.
So, of course, WS-trust information goes in the body. Once I get the
SAML Assertions, I put them in the header for another webservice call.
I am trying to act as this:
Client asks for a SAML Authentication assertion to a STS via WS-Trust. The STS
asks the Attribute Authority via samlp:AttributeQuery. If the query returns
success, the STS returns to the client the RequestSecurityTokenCollection
containing the Auth Assertion and Attribute Assertion.
I put them in a wsse:Security element and I create another soap message
for the service that needs authentication. Then the service checks the
validity of the assertion,, with authorization decisions, and returns
the requested action.
The assertions are two because they are signed by two different entities,
the STS and the Attribute Authority.
My opinion is you should avoid inventing security protocols. Look at fully
formed specs that use WS-Security and if they don't do what you need, you
could adjust or extend those rather than inventing a whole new pile of
stuff.
I am not trying to inventing a new security protocol. Simply I'm trying
to get by the horns the IHE XUA profile,
ftp://ftp.ihe.net/IT_Infrastructure/iheitiyr5-2007-2008/Technical_Cmte/TrialImplementationSupplements/FinalWordVersions/IHE_ITI_TF_Supplement_XUA_TI_2007-08-15.pdf
that specifies the use of ws-trust., for getting saml assertions. I have this
doubts because the profile does not specifies well how messages are formed,
and I'm trying to implement it.
Thanks,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
- A suggestion about digital signatures, Massimiliano Masi, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/20/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/21/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/23/2007
- RE: A suggestion about digital signatures, Massimiliano Masi, 09/22/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/21/2007
- RE: A suggestion about digital signatures, George Stanchev, 09/19/2007
- Re: A suggestion about digital signatures, Brent Putman, 09/19/2007
- RE: A suggestion about digital signatures, Scott Cantor, 09/19/2007
Archive powered by MHonArc 2.6.16.