10 messages in org.oasis-open.lists.security-servicesRe: [security-services] Correction to...| From | Sent On | Attachments |
|---|---|---|
| Scott Cantor | Nov 20, 2008 10:08 am | |
| Nate Klingenstein | Nov 20, 2008 10:37 am | |
| Nate Klingenstein | Nov 20, 2008 10:43 am | |
| Tom Scavo | Nov 20, 2008 11:45 am | |
| Tom Scavo | Nov 20, 2008 11:54 am | |
| Scott Cantor | Nov 20, 2008 12:11 pm | |
| Nate Klingenstein | Nov 20, 2008 12:16 pm | |
| Scott Cantor | Nov 20, 2008 12:19 pm | |
| Nate Klingenstein | Nov 20, 2008 12:24 pm | |
| Nate Klingenstein | Nov 20, 2008 12:27 pm |
| Subject: | Re: [security-services] Correction to my diatribe about assertion Subjects on last call | |
|---|---|---|
| From: | Tom Scavo (trsc...@gmail.com) | |
| Date: | Nov 20, 2008 11:54:25 am | |
| List: | org.oasis-open.lists.security-services | |
On Thu, Nov 20, 2008 at 1:38 PM, Nate Klingenstein <nd...@internet2.edu> wrote:
So, here's the text I'd propose for draft -10:
● The <saml:Subject> element of every assertion returned MUST refer to the principal. It is allowable for the content of the <saml:Subject> elements to differ, e.g. using a different <saml:NameID> or <saml:SubjectConfirmation> elements. ● The set of one or more assertions MUST contain at least one <saml:AuthnStatement> that reflects the authentication of the principal to the identity provider.
"one or more holder-of-key assertions"
● Any assertion issued for consumption using this profile MUST be a holder-of-key assertion as defined in [SAML2HoKAP] and adhere to section 1.4 therein. If the <samlp:AuthnRequest> does not contain a <saml:Subject> with a <saml:SubjectConfirmation>, and the service provider does not indicate otherwise, such as through metadata,
How is this done with metadata?
every assertion in the response MUST contain a <ds:X509Certificate> element in its <ds:X509Data>. This certificate SHOULD be DER-encoded.
Strike that last sentence. There is no requirement that the assertion be DER-encoded.
Other certificate information MAY be included in additional child elements of <ds:X509Data>.
Tom
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php