[Pgi-wg] [gridshib-user] comments regarding a VOMS-SAML token--ANY plan to make VOMS SAML assertion be compatible with WS-Security SAML Token profile?
weizhong qiang
weizhongqiang at gmail.com
Mon Mar 30 11:06:37 CDT 2009
hi,
According to the specification of SAML Token profile 1.1 (
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf),
I listed the difference as follows, some of the points are trivial .
For a SAML Token which is compliant to SAML V1.1:
<saml:Assertion xmlns:saml="..."
AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2005-05-27T16:53:33.173Z"
Issuer=”www.opensaml.org”
MajorVersion="1"
MinorVersion="1">
<saml:Conditions
NotBefore="2005-05-27T16:53:33.173Z"
NotOnOrAfter="2005-05-27T16:58:33.17302Z"/>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
NameQualifier="www.example.com"
Format=“urn:oasis:names:tc:SAML:1.1:nameid-
format:X509SubjectName”>
uid=joe,ou=people,ou=saml-demo,o=baltimore.com
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<ds:KeyInfo>
<ds:KeyValue>...</ds:KeyValue>
</ds:KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute
AttributeName="MemberLevel"
AttributeNamespace="http://www.oasis-
open.org/Catalyst2002/attributes">
<saml:AttributeValue>gold</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
AttributeName="E-mail"
AttributeNamespace="
http://www.oasis-open.org/Catalyst2002/attributes">
<saml:AttributeValue>joe at yahoo.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature>...</ds:Signature>
</saml:Assertion>
For a SAML Token which is compliant to SAML V2.0:
<saml2:Assertion xmlns:saml2="..." xmlns:xsi="..."
ID=”_a75adf55-01d7-40cc-929f-dbd8372ebdfc”>
<saml2:Subject>
<saml2:NameID>
...
</saml2:NameID>
<saml2:SubjectConfirmation
Method=”urn:oasis:names:tc:SAML:2.0:cm:holder-of-key”>
<saml2:SubjectConfirmationData
xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<ds:KeyValue>...</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Statement>
...
</saml2:Statement>
<ds:Signature>...</ds:Signature>
</saml2:Assertion>
Suppose voms saml assertion uses SAML V2.0
Some comments:
1. The signature for <saml:Reponse> could also be necessary, even though the
integrity is guaranteed by TLS.
2. xml attribute xsi:type="saml2:KeyInfoConfirmationDataType" could be
necessary for <saml2:SubjectConfirmationData/>
3. <saml:SubjectConfirmation> element contains a <ds:X509Certificate>
element, but it probably be better to just contain a <ds:KeyValue>, since
the certificates chain of the "subject" is already supposed to be verified
by the third-party authority (in this case, it is voms saml service), and
then this public key is used to sign the soap message afterwards. For SOAP
message verification on the rely-party side, the rely-party do not need to
verify the certificates chain of "subject".
<ds:KeyValue> is also convinient for proxy certificate, in my opinion.
4. Use <saml:Statement> instead of <saml:AttributeStatement>.
Cheers,
Weizhong
On Mon, Mar 30, 2009 at 5:00 PM, Tom Scavo <trscavo at gmail.com> wrote:
> Hi Weizhong,
>
> Can you outline why you think the VOMS SAML assertion is not
> compatible with the WSS SAML Token Profile?
>
> Thanks,
> Tom
>
> PS. The comments quoted below mostly refer to a VOMS SAML assertion
> bound to an X.509 proxy certificate (but the requirements are not the
> same as a VOMS SAML assertion bound to SOAP header).
>
> On Mon, Mar 30, 2009 at 10:25 AM, weizhong qiang
> <weizhongqiang at gmail.com> wrote:
> > hi voms folks, all,
> > The current voms SAML assertion is not compatible with WS-Security SAML
> > Token profile. I would ask is there any plan to change it to make it be
> > compatible? I ask this because I think if so, the SAML assertion can be
> used
> > for SOAP message layer authentication, other than just including SAML
> > attribute assertion.
> >
> >
> > Thanks
> > Weizhong Qiang
> >
> >
> > On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo at gmail.com> wrote:
> >>
> >> Thanks to Benjamin for posting this VOMS-SAML response to gt-user. A
> >> critique (of the SAML, not Benjamin :) follows.
> >>
> >> - Note that the output is a <samlp:Response> element, not a
> >> <saml:Assertion> element. This is wrong. The requester must consume
> >> the response. Not sure why this isn't happening.
> >>
> >> - The value of the <saml:Issuer> element in the response is a DN but
> >> the Format XML attribute is missing. This is a bug. The default
> >> Format is "unspecified" but clearly this is not.
> >>
> >> - Second-level status codes are desirable so they can be echoed on the
> >> command line (if any).
> >>
> >> - Same comment about the <saml:Issuer> element in the assertion.
> >>
> >> - The use of SAML metadata requires that the Format on the
> >> <saml:Issuer> element be "entity" but clearly it is not. Thus the use
> >> of SAML metadata by the relying party is precluded.
> >>
> >> - Don't know if Shibboleth/OpenSAML can verify the signature (which is
> >> tricky business). This is a future experiment that needs to be done.
> >>
> >> - The <saml:SubjectConfirmation> element contains a
> >> <ds:X509Certificate> element, which precludes the binding of this
> >> holder-of-key assertion to a proxy certificate. This is a bug. Use a
> >> <ds:X509SubjectName> element instead (which causes the NameID itself
> >> to be redundant).
> >>
> >> - If the assertion is bound to a proxy certificate, the NotBefore and
> >> NotOnOrAfter attributes are redundant and superfluous. In fact, they
> >> may be wrong since they must agree with the NotBefore and NotOnOrAfter
> >> fields of the proxy.
> >>
> >> - Since the client authenticated directly to the server, a
> >> <saml:AuthnStatement> is desirable (not required, but potentially
> >> useful at the relying party).
> >>
> >> - The NameFormat XML attribute on the <saml:Attribute> element should
> >> be "uri" not "unspecified".
> >>
> >> - The "xsi:" prefix on the <saml:AttributeValue> element is undefined.
> >> This is a bug.
> >>
> >> - The <saml:AttributeValue> elements do not conform to the XACML
> >> Attribute Profile (actually, I don't think the attributes conform to
> >> *any* SAML V2.0 attribute profile).
> >>
> >> Hope this helps,
> >> Tom
> >>
> >> ---------- Forwarded message ----------
> >> From: Benjamin Henne <henne at rvs.uni-hannover.de>
> >> Date: Wed, Feb 4, 2009 at 1:59 AM
> >> Subject: Re: [gt-user] SAML based VOMS Server
> >> To: Tom Scavo <trscavo at gmail.com>
> >> Cc: GT User <gt-user at globus.org>
> >>
> >>
> >> <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
> >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> >> ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6"
> >> InResponseTo="_qwertyuiopasdfghjklzxcvbn"
> >> IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
> >> <saml:Issuer
> >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=
> voms3.gridlab.uni-hannover.de
> ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> >> <Status>
> >> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> >> </Status>
> >> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >> ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"
> >> IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
> >>
> >> <saml:Issuer>CN=voms3.gridlab.uni-hannover.de
> ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >> <ds:SignedInfo>
> >> <ds:CanonicalizationMethod
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> <ds:SignatureMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >> <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
> >> <ds:Transforms>
> >> <ds:Transform
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >> <ds:Transform
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "><ec:InclusiveNamespaces
> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml
> >> xs"/></ds:Transform>
> >> </ds:Transforms>
> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >> <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
> >> </ds:Reference>
> >> </ds:SignedInfo>
> >> <ds:SignatureValue>
> >> ...
> >> </ds:SignatureValue>
> >>
> >>
> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
> >> <saml:Subject>
> >> <saml:NameID
> >>
> >>
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
> >> Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
> >> <saml:SubjectConfirmation
> >> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> >> <saml:SubjectConfirmationData>
> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >> <ds:X509Data>
> >> <ds:X509Certificate>...</ds:X509Certificate>
> >> </ds:X509Data>
> >> </ds:KeyInfo>
> >> </saml:SubjectConfirmationData>
> >> </saml:SubjectConfirmation>
> >> </saml:Subject>
> >> <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z"
> >> NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
> >> <saml:AttributeStatement>
> >> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/roles"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">staff@/RVS/research/SAML</saml:AttributeValue>
> >> </saml:Attribute>
> >> <saml:Attribute Name="nationality"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">German</saml:AttributeValue>
> >> </saml:Attribute>
> >> <saml:Attribute Name="http://voms.forge.cnaf.infn.it/group"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">/RVS/education</saml:AttributeValue>
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">/RVS</saml:AttributeValue>
> >> <saml:AttributeValue
> >> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >> xsi:type="xs:string">/RVS/research</saml:AttributeValue>
> >> </saml:Attribute>
> >> </saml:AttributeStatement>
> >> </saml:Assertion>
> >> </Response>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090330/9f0245ef/attachment-0001.html
More information about the Pgi-wg
mailing list