cdaefa:EFA Policy Assertion SAML2 Binding
Version vom 5. April 2013, 06:03 Uhr von Rkuhlisch (Diskussion | Beiträge)
SAML 2.0 Profile for ECR Policy Assertions
 |
This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider. |
| Assertion Element | Opt | Usage Convention | |||
|---|---|---|---|---|---|
| @Version | R | MUST be “2.0” | |||
| @ID | R | URN encoded unique identifier (UUID) of the assertion | |||
| @IssueInstant | R | time instant of issuance in UTC | |||
| Issuer | R | address URI that identifies the endpoint of the issuing service | |||
| Subject | R | This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | |||
| NameID | R | Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
| @Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
| SubjectConfirmation | R | ||||
| @Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
| SubjectConfirmationData | R | ||||
| ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
| Conditions | R | ||||
| @NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
| @NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | |||
| XACMLPolicyStatement | R | ||||
| Policy or PolicySet | R | Policy or PolicySet that expresses the authorization (see section below for details). | |||
| ds:Signature | R | Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). | |||
