MTI security models for SOAP Binding - Mishra, Prateek - org.oasis-open.lists.security-services

2 messages in org.oasis-open.lists.security-servicesMTI security models for SOAP Binding

From	Sent On	Attachments
Mishra, Prateek	Aug 6, 2004 10:33 am
Eve L. Maler	Aug 6, 2004 12:42 pm

Subject:	MTI security models for SOAP Binding
From:	Mishra, Prateek (pmis...@netegrity.com)
Date:	Aug 6, 2004 10:33:07 am
List:	org.oasis-open.lists.security-services

The SAML SOAP binding makes an appearance in 4 profiles:

(1) Web SSO Profile (via the Artifact Resolution Profile) (2) AssertionQuery/Request Profile (AttributeQuery, AuthorizationDecisionQuery, AssertionIDRequest) (3) NameID Mgmt (4) Single Logout

Conformance-04 does not as yet include any MTI security models for the SOAP binding.

Proposal to add text to conformance-04 (starting at line 134)

2.3 Security models for SOAP Binding

The following security models are MTI for profiles that use the SOAP binding. The SAML requester and responder MUST implement the following authentication methods:

1. No client or server authentication.

2. HTTP basic authentication [RFC2617] with and without SSL 3.0 or TLS 1.0. The SAML requester MUST preemptively send the authorization header with the initial request.

3. HTTP over SSL 3.0 or TLS 1.0 (see Section 6) server authentication with a server-side certificate.

4. HTTP over SSL 3.0 or TLS 1.0 mutual authentication with both server-side and a client-side certificate.

If a SAML responder uses SSL 3.0 or TLS 1.0, it MUST use a server-side certificate.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets