On 5/31/11 10:54 AM, "Sam Hartman" <[log in to unmask]> wrote:
>For today's GSS, I think it would be reasonable to assume that if the
>authenticated flag is true, and the context is within the sorts of
>contexts we're talking about for Moonshot, SAML and SAML-EC, then the
>issuer is the same issuer who issued the identity.
>The assumption about context may be unnecessary; take a look at the
>definition of the authenticated flag in naming extensions.
There's a control flag now for running a GSS attribute through all the
processing only if it's authenticated, so I think we're covered there.
>Determining who that is is tricky. For gss-eap and krb5 parsing the
>initiator name and saying the attribute is issued by the realm in
>question is fine.
I think what I've done provides an appropriate separation of concerns, but
it's left to the mechanism calling me to set an "issuer" that is outside
the SAML domain (or leave it empty, which is what happens now). I don't
want to get into parsing GSS names in some open-ended (or
mechanism-specific) way inside my library.
There's also a hook now to set a "protocol" string to use in acquiring
SAML metadata for the issuer, and a fallback to the existing SAML protocol
constant when one isn't set, so I don't have to bake in anything specific
to Moonshot or ABFAB at this point.
When I process SAML tokens supplied by, for example, mech_eap, I pull out
the token issuer in the normal way so that it can be used like would
normally be the case today.
>I'd expect that when we add multiple attribute
>sources either the attributes will be aggregated and re-signed by the
>IDP (in which case think it is reasonable to treat them as issued by the
>IDP) or they will have a different context and thus different name
>prefix. We can also add functions for getting issuers at that point.
That isn't currently there, but it will take future/breaking API changes
for me to handle that anyway.
The other case that's handled already would be aggregation via a plugin on
my side (e.g. SAML queries), since that already processes the results
within the contex of the authority being queried.
-- Scott
|