Ok, the following response will not make you happy. I suggest that you talk to your employer about this issue.
1. What kind of credential to get - That depends on what types of credentials are used by your authentication framework. The types of credentials supported include SAML, X.509 certificates, GSS-API and WS-Trust tokens. There is no way for use to specify as single authentication method as different companies use different methods. Also we want to support some very loose methods in non-company situations. 2. Where/how to get it - That depends on what types of credentials are used by your authentication framework. You talk to plasma after you have gotten credentials of some type, plasma does not tell you what type of credentials you need, although it will tell you what attributes are needed in the credentials (as part of the XACML response portion). 3. What Plasma AuthenticationType type to map it to. That depends on what types of credentials are used by your authentication framework. SAML 2.0 Assertions go into the SAML element (section 5.1.1), GSSAPI goes into the GSSAPI element (section 5.1.4), X.509 certificates use the XML Digital signature element (as might SAML if there is a holder of key statement) (section 5.1.3). Other types would go into locally defined Other (an example would be SAML 1.0 Assertions) (external document - referenced from section 5.1). 4. How to do the encoding for that mapping. That depends on what types of credentials are used by your authentication framework. See the response to question 3. Jim From: Dan Griffin [mailto:[email protected]] Sent: Thursday, June 28, 2012 4:16 PM To: Jim Schaad; [email protected] Subject: RE: [plasma] Binary value encoding in AuthenticationTypeWSToken I'm referring to how the client authenticates to Plasma in the first place, i.e. part of the work the client has to do before a single Plasma call is made. The client will have to know: 1. What kind of credential to get 2. Where/how to get it 3. What Plasma AuthenticationType type to map it to 4. How to do the encoding for that mapping The draft text doesn't appear to address #3 at all. How can you expect interoperability? My first question remains unanswered. From: Jim Schaad [mailto:[email protected]] Sent: Wednesday, June 27, 2012 7:54 PM To: Dan Griffin; [email protected] Subject: RE: [plasma] Binary value encoding in AuthenticationTypeWSToken Please let me know what text is unclear in the document. This is A correct type There is no ONE correct type of token to be returned. This is strictly a choice of the server. The server can use an XML based token, such as SAML or an ASN.1 based token, such as CMS or a non-structured token, such as an index in a database. There is no requirement in the document that the client understand the token returned to the client. In fact the requirement is just the opposite. The token is to be treated as an opaque blob by the client. If data such as lifetimes is to be returned they are returned as wst namespace attributes. Jim From: [email protected] [mailto:[email protected]] On Behalf Of Dan Griffin Sent: Wednesday, June 27, 2012 1:42 PM To: [email protected] Subject: [plasma] Binary value encoding in AuthenticationTypeWSToken We're using AuthenticationTypeWSToken to transmit a SAML token - is that the correct type? If so, just wanted to clarify - the Value member of that type is a hex binary string, which seems like an odd choice. Wouldn't XML make more sense?
_______________________________________________ plasma mailing list [email protected] https://www.ietf.org/mailman/listinfo/plasma
