[OGSA-AUTHZ] comments for Use of SAML to Retrieve Authorization Credentials
Tom Scavo
trscavo at gmail.com
Thu May 21 20:36:20 CDT 2009
Comments re the answers to comments:
Item 1:
- s/Consent parameter/Consent attribute/
- The Consent attribute MUST be present in the request since the
attribute value defaults to "unspecified", which is not what we want.
- Note that SAML2Core requires the request to be signed (lines 1511--1512).
Item 2:
- The assertion in the appendix is just an example. The profile
should specify the content of the <saml:SubjectConfirmation> element
by referring normatively to SAMLHoK.
Item 3:
- This implies that SAMLX509SelfQry is not sufficient. As an
alternative, refer normatively to the SAML V2.0 Holder-of-Key
Assertion Request Profiles.
Item 4:
none
Item 5:
none
Item 6:
- If the requester is the subject, the following requirements MUST be satisfied:
1. The value of the <saml:Issuer> element in the request MUST be the subject
distinguished name (DN) of the presented certificate (see the
Holder-of-Key Assertion Request Profiles).
2. The value of the Consent attribute SHOULD be
"urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be
specified in draft-02 of the Holder-of-Key Assertion Request
Profiles).
Tom Scavo
NCSA
On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi
<valerio.venturi at cnaf.infn.it> wrote:
> I have summarized in a wiki page the comments and answers received
> on 'Use of SAML to Retrieve Authorization Credentials'
> https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/AnswerToPublicCommentsToOGFSAML?_message=1242400598869
>
> If everything is ok I'll do the integration and upload a new draft.
>
> Valerio
>
>
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
More information about the ogsa-authz-wg
mailing list