Hi Dick, Eve Maler and I were thinking along the same lines and drafted
the enclosed SAML Attribute profile for the OpenID SimpleReg extension.
It has less grand ambitions than yours (e.g. no signing) but otherwise
seems nicely aligned
Regards
Paul
p.s. and our profile bears a debt to John's initial DIX spec as well
Dick Hardt wrote:
Hello List
Attached is a specification for using SAML to bind properties to an
OpenID Identifier. The mechanism for refreshing the Assertion still
needs to be worked out. Look forward to discussing this and the
Attribute Exchange specifications at IIW with those of you there.
-- Dick
TOC #toc
Draft D. Hardt
Sxip Identity
November 2006
OpenID Signed Assertions 1.0 - Draft 01
Abstract
This document describes a SAML assertion schema extension for encoding
third-party attested attribute value claims as OpenID attributes for
use with the OpenID Attribute eXchange service.
Table of Contents
1. #anchor1 Introduction
2. #anchor2 Terminology
2.1. #anchor3 Definitions and Conventions
3. #anchor4 SAML Introduction
3.1. #anchor5 SAML Assertions
4. #anchor6 Employing SAML in OpenID
4.1. #anchor7 Assertion Attributes
5. #saml-attribute OpenID SAML Attribute Profile
5.1. #anchor8 Required Information
5.2. #anchor9 SAML Attribute Naming
5.3. #anchor10 Profile-Specific XML Attributes
5.4. #anchor11 SAML Attribute Values
5.5. #anchor12 Example
6. #saml-assertion Assertion Schema Extension
6.1. #anchor13 Element openid:Assertion
6.1.1. #anchor14 Element saml:Assertion
7. #assertion-schema OpenID Assertion Schema
8. #refresh Refreshing an Assertion
9. #example-assertion Example Signed SAML Assertion
10. #anchor19 Security Considerations
11. #anchor20 Acknowledgements
12. #rfc.references1 References
12.1. #rfc.references1 Normative References
12.2. #rfc.references2 Informative References
§ #rfc.authors Author's Address
TOC #toc
1. Introduction
This document specifies an assertion schema extension of the Security
Assertion Markup Language (SAML) V2.0 called 'OpenID Signed
Assertions', for use with the OpenID [OpenID.authentication‑2.0]
(Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID
Authentication 2.0 - Draft 10,” August 2006.)
#OpenID.authentication-2.0 Attribute eXchange service
[OpenID.attribute‑exchange‑1.0] (Hardt, D., “OpenID Attribute Exchange
1.0 - Draft 03,” November 2006.) #OpenID.attribute-exchange-1.0.
Security Assertion Markup Language (SAML) v2.0, SAMLv2, is an
XML-based framework for creating and exchanging security information.
The SAMLv2 specification set is normatively defined by
[OASIS.saml‑conformance‑2.0‑os] (Mishra, P., Philpott, R., and E.
Maler, “Conformance Requirements for the Security Assertion Markup
Language (SAML) V2.0,” March 2005.) #OASIS.saml-conformance-2.0-os.
TOC #toc
2. Terminology
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT,
SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this
document are to be interpreted as described in [RFC2119] (Bradner, S.,
“Key words for use in RFCs to Indicate Requirement Levels,” March
1997.) #RFC2119.
TOC #toc
2.1. Definitions and Conventions
[NOTE: Update terminology based on final OpenID 2.0 draft.]
In this specification, the term, or term component, SAML refers to
SAML V2.0 in all cases. For example, the term SAML assertion
implicitly means SAMLv2 assertion.
For overall SAML terminology, see [OASIS.saml‑glossary‑2.0‑os]
(Hodges, J., Philpott, R., and E. Maler, “Glossary for the Security
Assertion Markup Language (SAML) V2.0,” March 2005.)
#OASIS.saml-glossary-2.0-os.
Conventional XML namespace prefixes are used throughout this
specification to stand for their respective namespaces as follows,
whether or not a namespace declaration is present in the example:
Prefix: openid
XML Namespace: http://openid.net/xmlns/2.0.
Prefix: ds
XML Namespace: http://www.w3.org/2000/09/xmldsig#. This
namespace is defined in the XML Signature Syntax and
Processing specification [W3C.REC‑xmldsig‑core‑20020212]
(Solo, D., Eastlake, D., and J. Reagle, “XML-Signature Syntax
and Processing,” February 2002.)
#W3C.REC-xmldsig-core-20020212 and its governing schema.
Prefix: saml
XML Namespace: urn:oasis:names:tc:SAML:2.0:assertion. This is
the SAML V2.0 assertion namespace [OASIS.saml‑core‑2.0‑os]
(Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions
and Protocol for the OASIS Security Assertion Markup Language