Re: [ws-sx] Issue 101: Need additional SamlToken Assertion Elementsfor Holder-of-Key and Sender-Vouches (and Bearer)

[Rich Levinson <rich.levinson@oracle.com>]

To address issue 101:

   http://docs.oasis-open.org/ws-sx/issues/Issues.xml#i101

plus the recommendations that have been put forth since the
issue was first raised, in particular, the recommendation that
the SAML ConfirmationMethod be inferrable from the
ws-sp context, and that the bearer confirmation method
also be included, I am proposing the text below to
follow line 1417 of the version 9 ws-sp spec:

   
http://www.oasis-open.org/committees/download.php/20152/ws-securitypolicy-1.2-spec-ed-01-r09-diff.pdf 


Proposed text follows between indicators:

<start of proposed text>

 Note: WSS:SAMLTokenProfile1.0 and WSS:SAMLTokenProfile1.1
 describe 3 types of SAML Assertion ConfirmationMethods: holder-of-key,
 sender-vouches, and bearer. The following guidelines may be used to
 determine which kind of SAML ConfirmationMethod will meet the policy
 requirements:

     If the SamlToken Assertion appears within a Security Binding 
assertion,
     then it should, in general, be assumed that a SAML holder-of-key 
assertion
     is required to satisfy the policy. requirement.

     If the SamlToken Assertion appears within a SignedSupportingTokens 
element,
     which is outside of any Security Binding assertion, then it may be 
assumed that a
     SAML sender-vouches assertion will satisfy the policy requirement.

     If the SamlToken Assertion appears within a SupportingTokens 
element which
     is outside of any Security Binding assertion, then it may be 
assumed that a
     SAML bearer assertion will satisfy the policy requirement. "

<end of proposed text>

In addition, a new  revision of the Use Cases document will be issued 
later today
containing examples, which incorporate the above usage guidelines.

Comments and suggestions are always welcome.

    Thanks,
    Rich Levinson