First Last Prev Next    No search results available
Bug 4582 - ConfirmationMethod of embedded SAML assertion
: ConfirmationMethod of embedded SAML assertion
Status: RESOLVED FIXED
: GridShib
GT plugin
: 0.5
: All All
: P3 normal
: beta
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-07-11 10:37 by
Modified: 2008-04-25 21:11 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2006-07-11 10:37:35 
The client that embeds a SAML assertion in an X.509 cert includes the following
SubjectConfirmation element:

<SubjectConfirmation>
  <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:am:X509-PKI</
ConfirmationMethod>
</SubjectConfirmation>

This URI is incorrect (since it's an AuthenticationMethod URI).  Instead it
should be a ConfirmationMethod URI (see section 5 of SAMLBind).
------- Comment #1 From 2006-07-11 10:43:42 ------- 
The following SubjectConfirmation element is recommended:

<saml:SubjectConfirmation>
 <saml:ConfirmationMethod>
   urn:oasis:names:tc:SAML:1.0:cm:bearer
 </saml:ConfirmationMethod>
</saml:SubjectConfirmation>

The only other reasonable choice is holder-of-key, but since the principal has
already proved possession of the key corresponding to the certificate, and
since the assertion is consumed and thrown away (i.e., not cached or
forwarded), bearer is good enough.
------- Comment #2 From 2006-07-11 11:55:58 ------- 
OK, next patch will contain change to bearer.  Accompanying this will be a
change to the consuming PIP to consider other than bearer else invalid.  Later
we can support others if needed.
------- Comment #3 From 2006-08-02 11:28:46 ------- 
Fix committed to trunk. Confirmation method has been changed in the createproxy
and the SAMLAuthnAssertionPIP will throw an error if any other confirmation
method is used.
First Last Prev Next    No search results available