[Pgi-wg] [gridshib-user] comments regarding a VOMS-SAML token--ANY plan to make VOMS SAML assertion be compatible with WS-Security SAML Token profile?

Mon Mar 30 11:10:44 CDT 2009

On Mon, Mar 30, 2009 at 5:07 PM, Valerio Venturi <
valerio.venturi at cnaf.infn.it> wrote:

> Hi Weizhong,
> can you be more specific? The issues Tom pointed at are all valid, and
> we will for sure address them. But what would be that prevent using the
> assertion with WS-Security (when correctness of the SAML assertion will
> be fixed)?
> SOAP message layer authentication ins't in the scope of the Strawmann
> profile, which mandates SSL/TLS mutual authn.

Yes, it is not in the Strawman profile. But I think it does not hurt if the
WS client can get standardized SAML token from voms saml service, and
optionally uses it for SOAP message authentication. Of cause, the condition
is the compliance of this standarlization does not conflict to the
compliance of the other stadarlizations.

Cheers
Weizhong

>
>
> Valerio
>
>
> On Mon, 2009-03-30 at 16:25 +0200, weizhong qiang wrote:
> > hi voms folks, all,
> > The current voms SAML assertion is not compatible with WS-Security
> > SAML Token profile. I would ask is there any plan to change it to make
> > it be compatible? I ask this because I think if so, the SAML assertion
> > can be used for SOAP message layer authentication, other than just
> > including SAML attribute assertion.
> >
> >
> > Thanks
> > Weizhong Qiang
> >
> >
> > On Tue, Feb 10, 2009 at 5:21 AM, Tom Scavo <trscavo at gmail.com> wrote:
> >         Thanks to Benjamin for posting this VOMS-SAML response to
> >         gt-user.  A
> >         critique (of the SAML, not Benjamin :) follows.
> >
> >         - Note that the output is a <samlp:Response> element, not a
> >         <saml:Assertion> element.  This is wrong.  The requester must
> >         consume
> >         the response.  Not sure why this isn't happening.
> >
> >         - The value of the <saml:Issuer> element in the response is a
> >         DN but
> >         the Format XML attribute is missing.  This is a bug.  The
> >         default
> >         Format is "unspecified" but clearly this is not.
> >
> >         - Second-level status codes are desirable so they can be
> >         echoed on the
> >         command line (if any).
> >
> >         - Same comment about the <saml:Issuer> element in the
> >         assertion.
> >
> >         - The use of SAML metadata requires that the Format on the
> >         <saml:Issuer> element be "entity" but clearly it is not.  Thus
> >         the use
> >         of SAML metadata by the relying party is precluded.
> >
> >         - Don't know if Shibboleth/OpenSAML can verify the signature
> >         (which is
> >         tricky business).  This is a future experiment that needs to
> >         be done.
> >
> >         - The <saml:SubjectConfirmation> element contains a
> >         <ds:X509Certificate> element, which precludes the binding of
> >         this
> >         holder-of-key assertion to a proxy certificate.  This is a
> >         bug.  Use a
> >         <ds:X509SubjectName> element instead (which causes the NameID
> >         itself
> >         to be redundant).
> >
> >         - If the assertion is bound to a proxy certificate, the
> >         NotBefore and
> >         NotOnOrAfter attributes are redundant and superfluous.  In
> >         fact, they
> >         may be wrong since they must agree with the NotBefore and
> >         NotOnOrAfter
> >         fields of the proxy.
> >
> >         - Since the client authenticated directly to the server, a
> >         <saml:AuthnStatement> is desirable (not required, but
> >         potentially
> >         useful at the relying party).
> >
> >         - The NameFormat XML attribute on the <saml:Attribute> element
> >         should
> >         be "uri" not "unspecified".
> >
> >         - The "xsi:" prefix on the <saml:AttributeValue> element is
> >         undefined.
> >          This is a bug.
> >
> >         - The <saml:AttributeValue> elements do not conform to the
> >         XACML
> >         Attribute Profile (actually, I don't think the attributes
> >         conform to
> >         *any* SAML V2.0 attribute profile).
> >
> >         Hope this helps,
> >         Tom
> >
> >         ---------- Forwarded message ----------
> >         From: Benjamin Henne <henne at rvs.uni-hannover.de>
> >         Date: Wed, Feb 4, 2009 at 1:59 AM
> >         Subject: Re: [gt-user] SAML based VOMS Server
> >         To: Tom Scavo <trscavo at gmail.com>
> >         Cc: GT User <gt-user at globus.org>
> >
> >
> >         <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
> >         xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> >         ID="_d01d46b7-d16a-4ae8-b9bb-beb8844838b6"
> >         InResponseTo="_qwertyuiopasdfghjklzxcvbn"
> >         IssueInstant="2008-10-16T19:03:57.922Z" Version="2.0">
> >          <saml:Issuer
> >         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">CN=
> voms3.gridlab.uni-hannover.de
> ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> >          <Status>
> >           <StatusCode
> >         Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> >          </Status>
> >          <saml:Assertion
> >         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >         ID="_81b685e5-4650-4ba9-b1c6-0ed957cc33ac"
> >         IssueInstant="2008-10-16T19:03:57.920Z" Version="2.0">
> >
> >         <saml:Issuer>CN=voms3.gridlab.uni-hannover.de
> ,OU=UniHannover,O=GermanGrid,C=DE</saml:Issuer>
> >           <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >         <ds:SignedInfo>
> >         <ds:CanonicalizationMethod
> >         Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >         <ds:SignatureMethod
> >         Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >         <ds:Reference URI="#_81b685e5-4650-4ba9-b1c6-0ed957cc33ac">
> >         <ds:Transforms>
> >         <ds:Transform
> >         Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
> "/>
> >         <ds:Transform
> >         Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "><ec:InclusiveNamespaces
> >         xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> >         PrefixList="ds saml
> >         xs"/></ds:Transform>
> >         </ds:Transforms>
> >         <ds:DigestMethod
> >         Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >         <ds:DigestValue>j55K/cn8GQNuTQ52Kr3r0NGRJ0w=</ds:DigestValue>
> >         </ds:Reference>
> >         </ds:SignedInfo>
> >         <ds:SignatureValue>
> >         ...
> >         </ds:SignatureValue>
> >
> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
> >           <saml:Subject>
> >             <saml:NameID
> >
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=Benjamin
> >         Henne,OU=UniHannover,O=GermanGrid,C=DE</saml:NameID>
> >             <saml:SubjectConfirmation
> >         Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> >               <saml:SubjectConfirmationData>
> >                 <ds:KeyInfo
> >         xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >                   <ds:X509Data>
> >                     <ds:X509Certificate>...</ds:X509Certificate>
> >                   </ds:X509Data>
> >                 </ds:KeyInfo>
> >               </saml:SubjectConfirmationData>
> >             </saml:SubjectConfirmation>
> >           </saml:Subject>
> >           <saml:Conditions NotBefore="2008-10-16T19:03:57.920Z"
> >         NotOnOrAfter="2008-10-17T06:03:57.920Z"/>
> >           <saml:AttributeStatement>
> >             <saml:Attribute
> >         Name="http://voms.forge.cnaf.infn.it/roles"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">VO-Admin@/RVS</saml:AttributeValue>
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">resass@/RVS/education</saml:AttributeValue>
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">staff@
> /RVS/research/SAML</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute Name="nationality"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">German</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute
> >         Name="http://voms.forge.cnaf.infn.it/group"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">/RVS/education</saml:AttributeValue>
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">/RVS</saml:AttributeValue>
> >               <saml:AttributeValue
> >         xmlns:xs="http://www.w3.org/2001/XMLSchema"
> >         xsi:type="xs:string">/RVS/research</saml:AttributeValue>
> >             </saml:Attribute>
> >           </saml:AttributeStatement>
> >          </saml:Assertion>
> >         </Response>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090330/56318fc5/attachment.html 