[Pgi-wg] [gridshib-user] comments regarding a VOMS-SAML token--ANY plan to make VOMS SAML assertion be compatible with WS-Security SAML Token profile?
Valerio Venturi
valerio.venturi at cnaf.infn.it
Mon Mar 30 10:07:07 CDT 2009
Hi Weizhong,
can you be more specific? The issues Tom pointed at are all valid, and
we will for sure address them. But what would be that prevent using the
assertion with WS-Security (when correctness of the SAML assertion will
be fixed)?
SOAP message layer authentication ins't in the scope of the Strawmann
profile, which mandates SSL/TLS mutual authn.
Valerio
On Mon, 2009-03-30 at 16:25 +0200, weizhong qiang wrote:
> hi voms folks, all,
> The current voms SAML assertion is not compatible with WS-Security
> SAML Token profile. I would ask is there any plan to change it to make
> it be compatible? I ask this because I think if so, the SAML assertion
> can be used for SOAP message layer authentication, other than just
> including SAML attribute assertion.
>
>
> Thanks
> Weizhong Qiang
>
>
> On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo at gmail.com> wrote:
> Thanks to Benjamin for posting this VOMS-SAML response to
> gt-user. A
> critique (of the SAML, not Benjamin :) follows.
>
> - Note that the output is a <samlp:Response> element, not a
> <saml:Assertion> element. This is wrong. The requester must
> consume
> the response. Not sure why this isn't happening.
>
> - The value of the <saml:Issuer> element in the response is a
> DN but
> the Format XML attribute is missing. This is a bug. The
> default
> Format is "unspecified" but clearly this is not.
>
> - Second-level status codes are desirable so they can be
> echoed on the
> command line (if any).
>
> - Same comment about the <saml:Issuer> element in the
> assertion.
>
> - The use of SAML metadata requires that the Format on the
> <saml:Issuer> element be "entity" but clearly it is not. Thus
> the use
> of SAML metadata by the relying party is precluded.
>
> - Don't know if Shibboleth/OpenSAML can verify the signature
> (which is
> tricky business). This is a future experiment that needs to
> be done.
>
> - The <saml:SubjectConfirmation> element contains a
> <ds:X509Certificate> element, which precludes the binding of
> this
> holder-of-key assertion to a proxy certificate. This is a
> bug. Use a
> <ds:X509SubjectName> element instead (which causes the NameID
> itself
> to be redundant).
>
> - If the assertion is bound to a proxy certificate, the
> NotBefore and
> NotOnOrAfter attributes are redundant and superfluous. In
> fact, they
> may be wrong since they must agree with the NotBefore and
> NotOnOrAfter
> fields of the proxy.
>
> - Since the client authenticated directly to the server, a
> <saml:AuthnStatement> is desirable (not required, but
> potentially
> useful at the relying party).
>
> - The NameFormat XML attribute on the <saml:Attribute> element
> should
> be "uri" not "unspecified".
>
> - The "xsi:" prefix on the <saml:AttributeValue> element is
> undefined.
> This is a bug.
>
> - The <saml:AttributeValue> elements do not conform to the
> XACML
> Attribute Profile (actually, I don't think the attributes
> conform to
> *any* SAML V2.0 attribute profile).
>
> Hope this helps,
> Tom
>
> ---------- Forwarded message ----------
> From: Benjamin Henne <henne at rvs.uni-hannover.de>
> Date: Wed, Feb 4, 2009 at 1:59 AM
> Subject: Re: [gt-user] SAML based VOMS Server
> To: Tom Scavo <trscavo at gmail.com>
> Cc: GT User <gt-user at globus.org>
>
>
> <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6"
> InResponseTo="_qwertyuiopasdfghjklzxcvbn"
> IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> <Status>
> <StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </Status>
> <saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"
> IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
>
> <saml:Issuer>CN=voms3.gridlab.uni-hannover.de,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="ds saml
> xs"/></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> ...
> </ds:SignatureValue>
> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
> <saml:Subject>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
> Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
> <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> <saml:SubjectConfirmationData>
> <ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
> <ds:X509Certificate>...</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </saml:SubjectConfirmationData>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z"
> NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
> <saml:AttributeStatement>
> <saml:Attribute
> Name="http://voms.forge.cnaf.infn.it/roles"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="nationality"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">German</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute
> Name="http://voms.forge.cnaf.infn.it/group"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">/RVS/education</saml:AttributeValue>
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">/RVS</saml:AttributeValue>
> <saml:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">/RVS/research</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </Response>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2875 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090330/2cf299e9/attachment-0001.bin
More information about the Pgi-wg
mailing list