Metadata for SAML 1.0 Web Browser Profiles

Similar documents
Metadata for SAML 1.0 Web Browser Profiles

SSTC Response to Security Analysis of the SAML Single Sign-on Browser/Artifact Profile

XDI Requirements and Use Cases

Kerberos SAML Profiles

Level of Assurance Authentication Context Profiles for SAML 2.0

OpenOffice Specification Sample

OASIS - Artifact naming guidelines

Deployment Profile Template Version 1.0 for WS-Reliability 1.1

{Describe the status and stability of the specification here.}

SAML V2.0 Profile for Mandator Credentials

OASIS Security Assertion Markup Language (SAML) SSO Use Cases and Scenarios

Abstract Code-Signing Profile of the OASIS Digital Signature Services

Enhanced Client Profile (PAOS-LECP) Solution Proposal for SAML 2.0

Web Services Security: XCBF Token Profile

XACML Profile for Requests for Multiple Resources

Web Services Security XCBF Token Profile

SAML 2.0 Protocol Extension for Requested Authentication Context

Proposal for SAML Attribute Changes

saml requesting attributes v1.1 wd01 Working Draft January 2016 Standards Track Draft Copyright OASIS Open All Rights Reserved.

Web Services Security X509 Certificate Token Profile

J2ME Code-Signing Profile of the OASIS Digital Signature Services

OASIS Specification Document Template Usage

SAML V2.0 Holder-of-Key Assertion Profile

SAML V2.0 Profile for Token Correlation

Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML)

Metadata Extension for SAML V2.0 and V1.x Query Requesters

Asynchronous Processing Abstract Profile of the OASIS Digital Signature Services Version 1.0

Signature Gateway Profile of the OASIS Digital Signature Service

Position Paper: Facets for Content Components

SAML V2.0 EAP GSS SSO Profile Version 1.0

Errata for the OASIS SAML 1.0 Committee Specifications

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

Test Assertions for the SCA Web Service Binding Version 1.1 Specification

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

TestCases for the SCA Assembly Model Version 1.1

Network Working Group Internet-Draft October 27, 2007 Intended status: Experimental Expires: April 29, 2008

Multi-Server Based Namespace Data Management of Resource Namespace Service

Updates: 2710 September 2003 Category: Standards Track. Source Address Selection for the Multicast Listener Discovery (MLD) Protocol

SCA JMS Binding v1.1 TestCases Version 1.0

Category: Standards Track December 2003

Errata for the OASIS Security Assertion Markup Language (SAML) V1.1

Test Assertions for the SCA Assembly Model Version 1.1 Specification

Category: Standards Track September 2003

Request for Comments: 2711 Category: Standards Track BBN October 1999

EAN UCC Deployment Guide Version 1.0

Authentication, Authorization and Accounting Requirements for the Session Initiation Protocol

Expires: February 25, 2004 August 27, Using the NETCONF Configuration Protocol over Secure Shell (SSH) draft-wasserman-netconf-over-ssh-00.

Network Working Group. November Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4)

Hierarchical Resources: Non-XML Resource Use Case

XACML v3.0 XML Digital Signature Profile Version 1.0

Network Working Group Request for Comments: Category: Best Current Practice January 2004

SAMLv2: HTTP POST NoXMLdsig Binding

Request for Comments: 3934 Updates: 2418 October 2004 BCP: 94 Category: Best Current Practice

Network Working Group Internet-Draft August 2005 Expires: February 2, Atom Link No Follow draft-snell-atompub-feed-nofollow-00.

Network Working Group Request for Comments: 3634 Category: Standards Track Comcast Cable J. Bevilacqua N. Davoust YAS Corporation December 2003

Category: Standards Track September MIB Textual Conventions for Uniform Resource Identifiers (URIs)

Implementation profile for using OASIS DSS in Central Signing services

Network Working Group. Category: Standards Track September 2003

Network Working Group. Category: Informational January 2006

Using the AMQP Anonymous Terminus for Message Routing Version 1.0

[MS-OXWSMSHR]: Folder Sharing Web Service Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

SCA-J POJO Component Implementation v1.1 TestCases Version 1.0

Updates: 2535 November 2003 Category: Standards Track

Network Working Group Internet-Draft January 25, 2006 Expires: July 29, Feed Rank draft-snell-atompub-feed-index-05.txt. Status of this Memo

Steven Newhouse, Microsoft Mario Antonioletti, EPCC August 1, 2011

Network Working Group Request for Comments: 3397 Category: Standards Track Apple Computer, Inc. November 2002

Hierarchical Resource profile of XACML

Network Working Group. Category: Standards Track February SIEVE Filtering: Spamtest and VirusTest Extensions

Expires: October 9, 2005 April 7, 2005

Network Working Group Request for Comments: 3937 Category: Informational October 2004

Example set of DFDL 1.0 properties

Example set of DFDL 1.0 properties

Service Component Architecture Client and Implementation Model for C++ Test Cases Version 1.1

Network Working Group. Category: Standards Track <draft-aboba-radius-iana-03.txt> 30 March 2003 Updates: RFC IANA Considerations for RADIUS

Network Working Group. Category: Informational April A Uniform Resource Name (URN) Namespace for the Open Geospatial Consortium (OGC)

Michel Drescher, FLE, Ltd. Standardised Namespaces for XML in GGF (draft 09) N/A

Request for Comments: 5179 Category: Standards Track May 2008

TestCases for the SCA POJO Component Implementation Specification Version 1.1

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

TestCases for the SCA Web Service Binding Specification Version 1.1

OASIS Service Provisioning Markup Language (SPML) v2 - DSML v2 Profile

SCA JMS Binding Specification v1.1 Test Assertions Version 1.0

TestCases for the SCA Web Service Binding Specification Version 1.1

OASIS - Artifact Naming Guidelines

Test Assertions for the SCA Policy Framework 1.1 Specification

Microsoft XML Namespaces Standards Support Document

Network Working Group Internet-Draft August 2005 Expires: February 2, Atom Link No Follow draft-snell-atompub-feed-nofollow-03.

Network Working Group Request for Comments: 4913 Category: Experimental July 2007

Proposed Visual Document Signatures Profile of OASIS DSS

SAML V2.0 Deployment Profiles for X.509 Subjects

Network Working Group. Intended status: Standards Track Columbia U. Expires: March 5, 2009 September 1, 2008

OASIS XACML XML DSig Profile

KMIP Opaque Managed Object Store Profile Version 1.0

Request for Comments: 4633 Category: Experimental August 2006

OASIS Service Provisioning Markup Language (SPML) v2 - DSML v2 Profile

Glossary for the OASIS Security Assertion Markup Language (SAML)

E. Lewis ARIN September 23, KEY RR Secure Entry Point Flag draft-ietf-dnsext-keyrr-key-signing-flag-09. Status of this Memo

Category: Standards Track June Requesting Attributes by Object Class in the Lightweight Directory Access Protocol (LDAP) Status of This Memo

Expires in six months 24 October 2004 Obsoletes: RFC , , 3377, 3771

Transcription:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Metadata for SAML 1.0 Web Browser Profiles Working Draft 00, 12 November 2002 Document identifier: draft-sstc-saml-meta-data-00 Location: http://www.oasis-open.org/committees/security/docs Editor: Prateek Mishra, Netegrity <pmishra@netegrity.com> Contributors: Jeff Hodges, Sun Microsystems Abstract: The SAML 1.0 web browser profiles require agreement between a source and destination site about metadata in the form of URLs, authentication modes, certificate authorities etc. This document describes the required metadata together with appropriate XML schema. Status: Interim draft. Send comments to the editor. Committee members should send comments on this specification to the securityservices@lists.oasis-open.org list. Others should subscribe to and send comments to the security-services-comment@lists.oasis-open.org list. To subscribe, send an email message to security-services-comment-request@lists.oasis-open.org with the word "subscribe" as the body of the message. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Security Services TC web page (http://www.oasis-open.org/committees/security/). Copyright OASIS Open 2002. All Rights Reserved. Page 1 of 9

28 29 30 31 32 33 34 35 36 37 38 39 40 Table of Contents Introduction... 3 1.1 Notation... 3 2 Metadata for SAML 1.0 Web Browser Profiles... 4 2.1 Source Site Descriptor... 4 2.1.1 Artifact Metadata... 4 2.1.1.1 SOAP Protocol Binding Metadata... 5 2.1.2 FORMPost Metadata... 6 2.2 Source Site Descriptor... 6 3 References... 7 Appendix A. Revision History... 8 Appendix B. Notices... 9 Copyright OASIS Open 2002. All Rights Reserved. Page 2 of 9

41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 Introduction The SAML 1.0 web browser profiles require agreement between a source and destination site about metadata in the form of URLs, authentication modes, certificate authorities etc. This document describes the required metadata together with appropriate XML schema. 1.1 Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119]. Listings of productions or other normative code appear like this. Example code listings appear like this. Note: Non-normative notes and explanations appear like this. Conventional XML namespace prefixes are used throughout this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example: The prefix saml: stands for the SAML assertion namespace [SAMLCore]. The prefix samlp: stands for the SAML request-response protocol namespace [SAMLCore]. The prefix ds: stands for the W3C XML Signature namespace, http://www.w3.org/2000/09/xmldsig# [XMLSig]. The prefix SOAP-ENV: stands for the SOAP 1.1 namespace, http://schemas.xmlsoap.org/soap/envelope Error! Reference source not found.. The prefix wsse: stands for the WS-Security 1.0 namespace http://schemas.xmlsoap.org/ws/2002/04/secext Error! Reference source not found.. Copyright OASIS Open 2002. All Rights Reserved. Page 3 of 9

66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 2 Metadata for SAML 1.0 Web Browser Profiles For source and destination sites to communicate with each other, they must a priori have obtained metadata regarding each other. These provider metadata include items such as X.509 certificates and service endpoints. This specification defines metadata schemas for source and destination sites that may be used for metadata exchange. However, protocols for metadata exchange are outside the scope of this specification. 2.1 Source Site Descriptor The complex type SourceSiteDescriptorType contains the following elements: ProfileID [Required] The identification URI of the profile which MUST be one of the URIs given in Section 4.1.1.1 or 4.1.2.1 of [SAMLbind]. Issuer [Required] String used as the issuer attribute of SAML assertions originating from the source site. InterSiteTransferURL [Required] The inter-site transfer URL at the source site. ArtifactMetaData [Optional] An instance of ArtifactMetaDataType with metadata relevant to the source site in the Browser/Artifact profile. FORMPostMetaData [optional] An instance of FORMPostMetaDataType with metadata relevant to the source site in the Browser/POST profile. 2.1.1 Artifact Metadata The complex type ArtifactMetaDataType contains the following elements: SourceID [Required] This MUST be the 20 byte Source ID value used by the source site. As it includes arbitrary binary data it is represented by XML schema type hexbinary. A 20 byte sequence is always encoded as a sequence of 40 hecadecimal digits. SAMLProtocolBindingID [Required] The identification URI of the SAML protocol binding supported by the source site. The SAML protocol binding is used by the destination site to map artifacts to assertions. Copyright OASIS Open 2002. All Rights Reserved. Page 4 of 9

114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 SOAPProtocolBindingMetaData [Optional] An instance of SOAPProtocolBindingMetaDataType with metadata required when the selected protocol binding is the SAML 1.0 SOAP binding. 2.1.1.1 SOAP Protocol Binding Metadata The complex type SOAPProtocolBindingMetaDataType contains the following elements: SOAPResponderURL [Required] URL for the SAML SOAP responder at the source site. TrustModel [Required] An instance of TrustModelType with metadata describing the trust relationship between the source and destination sites. 2.1.1.1.1 TrustModelType The complex type TrustModelType contains the following elements: TrustRelationship [Required] An instance of TrustRelationshipType which describes the trust relationship between the source and destination sites: 1. NoAuth : Neither source nor destination site authenticate to each other. 2. BasicAuth: Destination site authenticates to source site using Basic authentication. 3. ServerSideSSL: Source site authenticates to the destination site using TLS/SSL with a server-side X509 certificate. Destination site does not authenticate to the source site. 4. BasicOverSSL: Source site authenticates to the destination site using TLS/SSL with a server-side X509 certificate. Destination site authenticates to source site using Basic authentication. 5. ClientSideCertificate: Source site authenticates to the destination site using TLS/SSL with a server-side X509 certificate. Destination site authenticates to source site using a client-side X509 certificate. NameAndPassword [Optional] Name and password to be used by destination site if it authenticates using Basic authentication. Keyinfo [Optional] X509 certificate used by source site for server-side SSL. 2.1.1.1.2 TrustModelType Schema <xs:simpletype name="trustrelationshiptype"> Copyright OASIS Open 2002. All Rights Reserved. Page 5 of 9

164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 <xs:restriction base="xsi:string"> <xs:enumeration value="noauth"/> <xs:enumeration value="basicauth"/> <xs:enumeration value="serversidessl"/> <xs:enumeration value="basicoverssl"/> <xs:enumeration value="clientsidecertificate"/> </xs:restriction> </xs:simpletype> <xs:complextype name="nameandpasswordtype"> <xs:attribute name="name" type="xsi:string"/> <xs:attribute name="password" type="xsi:string"/> </xs:complextype> <xs:complextype name="trustmodeltype"> <xs:sequence> <xs:element name="trustrelationship" type="trustrelationshiptype"/> <xs:element name="nameandpassword" type="nameandpasswordtype" minoccurs="0"/> <xs:element ref= "ds:keyinfo" minoccurs="0"/> </xs:sequence> </xs:complextype> 2.1.2 FORMPost Metadata The complex type FORMPostMetadataType contains the following element: KeyInfo [Required] X509 certificate or public key associated with the source site signature on the <saml:response> element transmitted to the destination site. 2.2 Source Site Descriptor The complex type SourceSiteDescriptorType contains the following elements: ArtifactReceiverURL [Optional] Required for Browser/Artifact Profile: URL corresponding to the artifact receiver host name and path (Section 4.1.1.5 of [SAMLbind]). AssertionConsumerServiceURL [Optional] Required for Browser/POST profile: URL corresponding the assertion consumer host name and path (Section 4.1.2.4 of [SAMLbind]). KeyInfo [Optional] May be required for Browser/Artifact Profile: X509 certificate used by destination site, when authenticating to source site with client-side certificates over SSL. Copyright OASIS Open 2002. All Rights Reserved. Page 6 of 9

216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 3 References [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997. [SAMLBind] P. Mishra (Editor), Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML), Committee Specification 01, available from http://www.oasisopen.org/committees/security, OASIS, May 2002. [SAMLCore] P. Hallam-Baker, P., and E. Maler, (Editors), Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), Committee Specification 01, available from http://www.oasis-open.org/committees/security, OASIS, May 2002. [SAMLReqs] D. Platt et al., SAML Requirements and Use Cases, OASIS, December 2001. [SAMLSecure] Security and Privacy Cpnsiderations for the OASIS Security Assertion Markup Language (SAML), http://www.oasisopen.org/committees/security/docs/cs-sstc-sec-consider- 01.doc. [XMLSig] D. Eastlake et al., XML-Signature Syntax and Processing, http://www.w3.org/tr/xmldsig-core/, World Wide Web Consortium. [LAProtSchema] John D. Beatty, John Kemp, Liberty Protocols and Schemas Specification, Draft Version 1.1-05, November 2002. [SAMLInterOp] Prateek Mishra, Proposed InterOp Scenario for SAML at Catalyst 2002, April 26, 2002, available at http://lists.oasisopen.org/archives/saml-dev/200206/msg00209.html Copyright OASIS Open 2002. All Rights Reserved. Page 7 of 9

246 247 Appendix A. Revision History Rev Date By Whom What wd-00 2002-06-16 Prateek Mishra First draft based on discussion with Jeff Hodges Copyright OASIS Open 2002. All Rights Reserved. Page 8 of 9

248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 Appendix B. Notices OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director. OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director. Copyright OASIS Open 2002. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright OASIS Open 2002. All Rights Reserved. Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback