cdaefa:EFA Policy Assertion SAML2 Binding
Inhaltsverzeichnis
SAML 2.0 Profile for ECR Policy Assertions
Assertion Element | Opt | Usage Convention | |||
---|---|---|---|---|---|
@Version | R | MUST be “2.0” | |||
@ID | R | URN encoded unique identifier (UUID) of the assertion | |||
@IssueInstant | R | time instant of issuance in UTC | |||
Issuer | R | address URI that identifies the endpoint of the issuing service | |||
Subject | R | This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | |||
NameID | R | Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
@Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
SubjectConfirmation | R | ||||
@Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
SubjectConfirmationData | R | ||||
ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
Conditions | R | ||||
@NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
@NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | |||
XACMLPolicyStatement | R | ||||
Policy or PolicySet | R | Policy or PolicySet that expresses the authorization (see section below for details). | |||
ds:Signature | R | Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). |
Policy or PolicySet Profile
Assertion Signature
Every HP Identity Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.
Signature Parameter | Usage Convention |
---|---|
CanonicalizationMethod | SHOULD be http://www.w3.org/2001/10/xml-exc-c14n# |
Transformation | Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used. |
SignatureMethod | For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or |
DigestMethod | For signing assertions the digest method http://www.w3.org/2000/09/xmldsig#sha1 or |
KeyInfo | This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. |
Example Assertion
<soap12:Envelope … > <soap12:Header … > <wsse:Security … > <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1" IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0"> <saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>ggyn … LQ==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> … </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> ... </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> … </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2013-04-05T08:14:28.788Z" NotOnOrAfter="2013-04-05T12:14:28.788Z"> </saml:Conditions> <xacml-saml:XACMLPolicyStatement> <xacml:PolicySet> <xacml:AuthnContextClassRef> </xacml:AuthnContextClassRef> </xacml:PolicySet> </xacml-saml:XACMLPolicyStatement> </saml:Assertion> </wsse:Security>
- zurück zur EFA-2.0-Spezifikation