srinath,
Here are some thoughts:
My impression of the IssuedToken assertion is as follows: it is used by
a relying party to inform a client about a WS-Trust authority whence
it should acquire an assertion. So it is quite a complicated beast and I
dont see exactly how it fits in your scenario.
Your SAML assertion is a bearer assertion; so the simplest model is that
it is placed in the SOAP header by the requestor and sent to the
recipient. So here is how you would specify that:
(1) Use of SAMLtoken assertion -
<sp:SAMLToken>
<wsp:Policy>
<sp:WSSSAMLV20Token11> !--- or whatever the version is
</sp:SAMLToken>
Note that there is no way to indicate the SubectConfirmationMethod of
the token required.
(2) Is the SOAP message being sent over HTTPS? One of the simplest
use-cases for SAML is a bearer assertion sent over server-side HTTPS. You
would then combine the SAMLtokenAssertion with the transport binding. So
putting it all together we have:
<wsp:Policy>
<sp:SupportingToken>
<wsp:policy>
<sp:SAMLToken>
<wsp:Policy>
<sp:WSSSAMLV20Token11> !--- or whatever the version is
<wsp:Policy>
</sp:SAMLToken>
<s/p:SupportingToken>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<wsp:Policy>
- prateek
I am trying to specify that the client need a SMAL assertion included
in the request by specifying it using WS-Policy. The Assertion is a
token issued by third part which act as a capability token.
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
<Conditions NotBefore="2006-02-03T17:39:57.240Z"
NotOnOrAfter="2006-02-03T18:09:57.240Z">
<AudienceRestrictionCondition> ...
</AudienceRestrictionCondition>
</Conditions>
<AuthorizationDecisionStatement
Resource="http://www.extreme.indiana.edu/lead/TestCMD_Simple_Fri_Feb_03_12_39_52_EST_2006_653199";
Decision="Permit">
<Subject>
<NameIdentifier>/C=US/O=Indiana
University/OU=Computer Science/CN=Hemapani Srinath
Perera</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<Action
Namespace="http://www.extreme.indiana.edu/lead";>Run</Action>
</AuthorizationDecisionStatement>
<ds:Signature> .... </ds:Signature>
</Assertion>
I find two options to do that so far,
1) IssuedToken Assertion, as by the 6.3.2 IssuedToken Assertion of
WS-Secuirty Policy Specification
2) SMAL Assertion, as by 6.3.8 SamlToken Assertion of WS-Secuirty
Policy Specification
If anyone has use either of the method, please give me a pointer
1) can anybody recommend using one over the other? Or a better way to do it
2) Can do anyone have a example of using either kind of Policy assertion?
Thanks
Srinath
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
