Hi Sam, > As I understand it, in the case where we're not using SAML metadata, and > where we're relying on the AA trust fabric, we make the requirement that the > AAA entities correspond to the SAML entities. > So, we don't need to constrain the SAML naming because the AAA entities > are making the assertions that the SAML names also correspond to the AAA > names.
Yes, but I believe that we also need to constrain SAML naming to the extent that SAML entities are making claims about their names to other entities in a way that is consistent with the underlying AAA system. For example, in a model where AAA trust is assumed sufficient, a relying party could consume the same SAML name from two entities. This isn't a problem if a relying party is just interested in consuming the rest of the assertion (attributes, etc.) that relate to an authenticated principal but, for example, it would impede a subsequent SAML exchange where all the requestor has is a SAML name for an entity whose semantics say nothing about how to reach it using AAA. > In the case where we're trusting SAML metadata or policy, the issue is that > we need to avoid a cut&paste attack where a SAML message intended for > one party is intended for another party. The issue we are trying to solve is > how to indicate in SAML messages or metadata that a particular AAA > endpoint was a valid destination for a binding or entity. Ah yes, the slides were not explicit about this, sorry. The assertion would be scoped to an <Audience> (the valid destination) using the proposed format, signed by the issuer, and use a standard SAML entity identifier to identify itself. The recipient, having validated the signature against the metadata, could validate itself as the intended <Audience>. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
