[OGSA-AUTHZ] comments for Use of SAML to Retrieve Authorization Credentials

Tom Scavo trscavo at gmail.com
Mon Jun 8 09:38:17 CDT 2009 

On Mon, Jun 8, 2009 at 9:33 AM, Valerio
Venturi<valerio.venturi at cnaf.infn.it> wrote:
> Integrated. Thanks Tom.

Thanks, Valerio.  Note also that Draft-02 of the SAML V2.0
Holder-of-Key Assertion Request Profiles has been submitted to the
OASIS SSTC:

http://wiki.oasis-open.org/security/SAMLHoKAssertionRequest

This draft includes the new Consent attribute value that you mention
in your notes.

> On Thu, 2009-05-21 at 20:36 -0500, Tom Scavo wrote:
>> Comments re the answers to comments:
>>
>> Item 1:
>>
>> - s/Consent parameter/Consent attribute/
>> - The Consent attribute MUST be present in the request since the
>> attribute value defaults to "unspecified", which is not what we want.
>> - Note that SAML2Core requires the request to be signed (lines 1511--1512).
>>
>> Item 2:
>>
>> - The assertion in the appendix is just an example.  The profile
>> should specify the content of the <saml:SubjectConfirmation> element
>> by referring normatively to SAMLHoK.
>>
>> Item 3:
>>
>> - This implies that SAMLX509SelfQry is not sufficient.  As an
>> alternative, refer normatively to the SAML V2.0 Holder-of-Key
>> Assertion Request Profiles.
>>
>> Item 4:
>>
>> none
>>
>> Item 5:
>>
>> none
>>
>> Item 6:
>>
>> - If the requester is the subject, the following requirements MUST be satisfied:
>>
>> 1. The value of the <saml:Issuer> element in the request MUST be the subject
>> distinguished name (DN) of the presented certificate (see the
>> Holder-of-Key Assertion Request Profiles).
>>
>> 2. The value of the Consent attribute SHOULD be
>> "urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be
>> specified in draft-02 of the Holder-of-Key Assertion Request
>> Profiles).
>>
>> Tom Scavo
>> NCSA
>>
>> On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi
>> <valerio.venturi at cnaf.infn.it> wrote:
>> > I have summarized in a wiki page the comments and answers received
>> > on 'Use of SAML to Retrieve Authorization Credentials'
>> > https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/AnswerToPublicCommentsToOGFSAML?_message=1242400598869
>> >
>> > If everything is ok I'll do the integration and upload a new draft.
>> >
>> > Valerio
>> >
>> >
>> > --
>> >  ogsa-authz-wg mailing list
>> >  ogsa-authz-wg at ogf.org
>> >  http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>> >
>

More information about the ogsa-authz-wg mailing list