[OGSA-AUTHZ] comments for Use of SAML to Retrieve Authorization Credentials
valerio.venturi at cnaf.infn.it
Mon Jun 8 09:33:57 CDT 2009
Integrated. Thanks Tom.
On Thu, 2009-05-21 at 20:36 -0500, Tom Scavo wrote:
> Comments re the answers to comments:
> Item 1:
> - s/Consent parameter/Consent attribute/
> - The Consent attribute MUST be present in the request since the
> attribute value defaults to "unspecified", which is not what we want.
> - Note that SAML2Core requires the request to be signed (lines 1511--1512).
> Item 2:
> - The assertion in the appendix is just an example. The profile
> should specify the content of the <saml:SubjectConfirmation> element
> by referring normatively to SAMLHoK.
> Item 3:
> - This implies that SAMLX509SelfQry is not sufficient. As an
> alternative, refer normatively to the SAML V2.0 Holder-of-Key
> Assertion Request Profiles.
> Item 4:
> Item 5:
> Item 6:
> - If the requester is the subject, the following requirements MUST be satisfied:
> 1. The value of the <saml:Issuer> element in the request MUST be the subject
> distinguished name (DN) of the presented certificate (see the
> Holder-of-Key Assertion Request Profiles).
> 2. The value of the Consent attribute SHOULD be
> "urn:oasis:names:tc:SAML:2.0:consent:self" (where the latter will be
> specified in draft-02 of the Holder-of-Key Assertion Request
> Tom Scavo
> On Thu, May 21, 2009 at 5:28 PM, Valerio Venturi
> <valerio.venturi at cnaf.infn.it> wrote:
> > I have summarized in a wiki page the comments and answers received
> > on 'Use of SAML to Retrieve Authorization Credentials'
> > https://forge.gridforum.org/sf/wiki/do/viewPage/projects.ogsa-authz/wiki/AnswerToPublicCommentsToOGFSAML?_message=1242400598869
> > If everything is ok I'll do the integration and upload a new draft.
> > Valerio
> > --
> > ogsa-authz-wg mailing list
> > ogsa-authz-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2875 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/ogsa-authz-wg/attachments/20090608/50222905/attachment.bin
More information about the ogsa-authz-wg