review of liberty alliance 1.1 web browser profiles prateek mishra netegrity
TRANSCRIPT
Review of Liberty Alliance 1.1 Web Browser Profiles
Prateek Mishra
Netegrity
Web Browser Profiles in SAML 1.0
SAML 1.0 (Form POST/Artifact Profile)
Source Site (LA IdP)
Destination Site(LA SP)
Proposed for inclusion in SAML 1.1 (Form POST/Artifact Profile)
Flow and solution proposal are described in:
sstc-bindings-extensions-03
LA 1.1 Solution Proposal Analysis
• Assumptions: Use-Case and requirements are well understood
• How is the LA 1.1 solution proposal different from SAML 1.0 and SAML 1.1 drafts?
LA 1.1 Flows
LA IdPLA SP<AuthNRequest>
<AuthNResponse> or Artifact
• Rules for mapping XML elements into query strings are described (Section 3.1.2 of Bindings and Profiles)
• AuthNRequest SHOULD be signed
• Assertions with AuthNResponse MUST be signed; it is recommended that the response itself not be signed
• Question: What about counter-measures based on signing TARGET in SAML 1.0?
• Artifact profile Request-Response:<samlp: Request> MUST be signed <samlp: Response> MAY be signed but contained assertions MUST be signed.
• ISSUE: Update and reconcile signing with SAML 1.1 guidelines