On 11/28/11 12:05 PM, "Sam Hartman" <[email protected]> wrote: > >Any chance you could give me text on the values and name IDs? The latest >XML source is in the draft repository, although plain text is also fine.
Ok, here's some text to try. I included language about character encoding. I don't know if that's needed, but I suspect something probably is, whether it's this or something else. There's also some ugly text about NameID qualifiers because of an unfortunate decision to allow defaulting there. I captured what my guidelines would be in the general case of a SAML implementation. For section 6.2: Each attribute carried in the assertion SHOULD also be a GSS name attribute. The name of this attribute has three parts, all separated by an ASCII space character. The first part is TBD. The second part is the URI for the <saml:Attribute> element's NameFormat XML attribute. The final part is the <saml:Attribute> element's Name XML attribute. If the content of each <saml:AttributeValue> element is a simple text node (or nodes), then the raw and "display" values of the GSS name attribute MUST be the text content of the element(s) encoded as UTF-8. If the value is not simple, then the raw value(s) of the GSS name attribute MUST be the well-formed serialization of the <saml:AttributeValue> element(s) encoded as UTF-8. The "display" values are implementation-defined. Then the last paragraph is the same as what you have now. Then add section 6.3 SAML Name Identifiers: The <saml:NameID> carried in the subject of the assertion SHOULD also be a GSS name attribute. The name of this attribute has two parts, separated by an ASCII space character. The first part is TBD. The second part is the URI for the <saml:NameID> element's Format XML attribute. The raw value of the GSS name attribute MUST be the well-formed serialization of the <saml:NameID> element encoded as UTF-8. The "display" value is implementation-defined. For formats defined by section 8.3 of [SAMLCORE], missing values of the NameQualifier or SPNameQualifier XML attributes MUST be populated in accordance with the definition of the format prior to serialization. In other words, the defaulting rules specified for the "persistent" and "transient" formats MUST be applied prior to serialization. This attribute SHOULD be marked authenticated if the name identifier is contained in a SAML assertion that has been successfully validated back to the trusted source of the peer credential. In the GSS-EAP mechanism, a SAML assertion carried in an integrity-protected and authenticated AAA protocol SHALL be sufficiently validated. An implementation MAY apply local policy checks to this assertion and discard it if it is unacceptable according to these checks. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
