[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: definition of "strongly matches"
As mentioned on the last call, a primary goal of the Subject-based Profiles for SAML V1.1 Assertions is to define and apply the notion of "very strongly matches," which builds on the existing definition of "strongly matches." The definition of "strongly matches" in SAML V1.1 differs from that in SAML V2.0, however, so first we have to reconcile the two definitions. The name identifier part of "strongly matches" in the two versions of SAML is the same if we ignore the language regarding encryption in the SAML V2.0 definition (which of course SAML V1.1 does not support). On the other hand, the subject confirmation part of "strongly matches" has a distinctly different flavor, so we first reformulate the subject confirmation part of "strongly matches" in SAML V1.1 so that it aligns with SAML V2.0. With respect to SAML V1.1 <saml:SubjectConfirmation>, there seems to be two choices: 1) map a SAML V1.1 <saml:SubjectConfirmation> element containing multiple <saml:ConfirmationMethod> elements to multiple <saml2:SubjectConfirmation> elements each with a corresponding Method attribute, or 2) restrict a SAML V1.1 <saml:SubjectConfirmation> to have a single <saml:ConfirmationMethod> element. For simplicity, we choose the latter in the profile: http://www.oasis-open.org/apps/org/workgroup/security/download.php/26572/sstc-saml1-profiles-assertion-subject-draft-01.pdf [lines 191--196] "In SAML V1.1, a <saml:Subject> element contains at most one <saml:SubjectConfirmation> element containing one or more <saml:ConfirmationMethod> elements. In SAML V2.0, on the other hand, there may be multiple <saml2:SubjectConfirmation> elements, each with a required Method attribute. Therefore, a <saml:Subject> element that conforms to this profile MAY contain a <saml:SubjectConfirmation> element, but that element MUST contain one and only one <saml:ConfirmationMethod> element." Under the assumption that there is only and only one <saml:ConfirmationMethod> element, we define the subject confirmation part of "S1 strongly matches S2" as follows (to be inserted at line 240): "If S2 contains a <saml:SubjectConfirmation> element, then S1 MUST contain a <saml:SubjectConfirmation> element such that the subject identified by S1 can be confirmed in the manner described by the <saml:SubjectConfirmation> element in S2." Note that all of the following must be true: a) The <saml:ConfirmationMethod> elements of S1 and S2 are equal. b) If S2 has a <ds:KeyInfo> child element, then S1 has a <ds:KeyInfo> child element, and moreover, the two <ds:KeyInfo> elements refer to the same key. c) If S2 has a <saml:SubjectConfirmationData> element, then S1 has a <saml:SubjectConfirmationData> element, and the contents of the two <saml:SubjectConfirmationData> element are equivalent. If any of the above are not true, S1 does not strongly match S2. The rest of the profile depends on this definition of "strongly matches," so I'll stop there and ask if there are any questions or concerns. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]