cdaefa:EFA Policy Assertion SAML2 Binding: Unterschied zwischen den Versionen
(Die Seite wurde neu angelegt: „== SAML 2.0 Profile for ECR Access Policy Assertions == {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Asser…“) |
|||
| Zeile 1: | Zeile 1: | ||
| − | == SAML 2.0 Profile for ECR | + | == SAML 2.0 Profile for ECR Policy Assertions == |
| − | {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model.}} | + | {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider.}} |
| + | |||
| + | {|class="wikitable" style="text-align: left; cellpadding: 10;" | ||
| + | !colspan="4"|Assertion Element | ||
| + | !Opt | ||
| + | !Usage Convention | ||
| + | |- | ||
| + | |colspan="4"|@Version | ||
| + | |R | ||
| + | |MUST be “2.0” | ||
| + | |- | ||
| + | |colspan="4"|@ID | ||
| + | |R | ||
| + | |URN encoded unique identifier (UUID) of the assertion | ||
| + | |- | ||
| + | |colspan="4"|@IssueInstant | ||
| + | |R | ||
| + | |time instant of issuance in UTC | ||
| + | |- | ||
| + | |colspan="4"|Issuer | ||
| + | |R | ||
| + | |address URI that identifies the endpoint of the issuing service | ||
| + | |- | ||
| + | |colspan="4"|Subject | ||
| + | |R | ||
| + | |This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | ||
| + | |- | ||
| + | | | ||
| + | |colspan="3"|NameID | ||
| + | |R | ||
| + | |Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | ||
| + | |- | ||
| + | | | ||
| + | | | ||
| + | |colspan="2"|@Format | ||
| + | |R | ||
| + | |MUST be ''urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'' <br> | ||
| + | or ''urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName''<br> | ||
| + | or ''urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress''<br> | ||
| + | For providing an OID as a subject identifier the ''unspecified'' format must be used. The OID must be provided as a string encoded in ISO format. | ||
| + | |- | ||
| + | | | ||
| + | |colspan="3"|SubjectConfirmation | ||
| + | |R | ||
| + | | | ||
| + | |- | ||
| + | | | ||
| + | | | ||
| + | |colspan="2"|@Method | ||
| + | |R | ||
| + | |This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to <br> | ||
| + | ''urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'' | ||
| + | |- | ||
| + | | | ||
| + | | | ||
| + | |colspan="2"|SubjectConfirmationData | ||
| + | |R | ||
| + | | | ||
| + | |- | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |ds:KeyInfo | ||
| + | |R | ||
| + | |The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | ||
| + | |- | ||
| + | |colspan="4"|Conditions | ||
| + | |R | ||
| + | | | ||
| + | |- | ||
| + | | | ||
| + | |colspan="3"|@NotBefore | ||
| + | |R | ||
| + | |time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | ||
| + | |- | ||
| + | | | ||
| + | |colspan="3"|@NotOnOrAfter | ||
| + | |R | ||
| + | |Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | ||
| + | |- | ||
| + | |colspan="4"|XACMLPolicyStatement | ||
| + | |R | ||
| + | | | ||
| + | |- | ||
| + | | | ||
| + | |colspan="3"|Policy or PolicySet | ||
| + | |R | ||
| + | |Policy or PolicySet that expresses the authorization (see section below for details). | ||
| + | |- | ||
| + | |colspan="4"|ds:Signature | ||
| + | |R | ||
| + | |Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). | ||
| + | |} | ||
Version vom 5. April 2013, 06:03 Uhr
SAML 2.0 Profile for ECR Policy Assertions
 |
This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider. |
| Assertion Element | Opt | Usage Convention | |||
|---|---|---|---|---|---|
| @Version | R | MUST be “2.0” | |||
| @ID | R | URN encoded unique identifier (UUID) of the assertion | |||
| @IssueInstant | R | time instant of issuance in UTC | |||
| Issuer | R | address URI that identifies the endpoint of the issuing service | |||
| Subject | R | This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | |||
| NameID | R | Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
| @Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
| SubjectConfirmation | R | ||||
| @Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
| SubjectConfirmationData | R | ||||
| ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
| Conditions | R | ||||
| @NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
| @NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | |||
| XACMLPolicyStatement | R | ||||
| Policy or PolicySet | R | Policy or PolicySet that expresses the authorization (see section below for details). | |||
| ds:Signature | R | Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). | |||
