1<<if: ZXIDBOOK>> 2<<else: >>Schemata of Various IdM Protocols 3################################# 4<<class: article!a4paper!!Schemata 01>> 5<<author: Sampo Kellom�ki (sampo@iki.fi)>> 6<<cvsid: $Id: schemata.pd,v 1.3 2009-09-16 10:14:57 sampo Exp $>> 7<<fi: >> 8 999 Appendix: Schema Grammars 10============================ 11 12Large parts of ZXID code are generated from +schema grammars+ which 13are a convenient notation for describing XML schmata. This appendix 14contains the schema grammars that are currently implemented and 15distributed in the ZXID package. 16 17<<tex: \small>> 18 1999.1 SAML 2.0 20------------- 21 2299.1.1 saml-schema-assertion-2.0 (sa) 23~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 24 25<<schema: 26<<sg/saml-schema-assertion-2.0.sg>> 27>> 28 2999.1.2 saml-schema-protocol-2.0 (sp) 30~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 31 32<<schema: 33<<sg/saml-schema-protocol-2.0.sg>> 34>> 35 3699.1.4 saml-schema-metadata-2.0 (md) 37~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 38 39<<schema: 40<<sg/saml-schema-metadata-2.0.sg>> 41>> 42 4399.2 SAML 1.1 44------------- 45 4699.2.1 oasis-sstc-saml-schema-assertion-1.1 (sa11) 47~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 48 49<<schema: 50<<sg/oasis-sstc-saml-schema-assertion-1.1.sg>> 51>> 52 5399.2.2 oasis-sstc-saml-schema-protocol-1.1 (sp11) 54~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 56<<schema: 57<<sg/oasis-sstc-saml-schema-protocol-1.1.sg>> 58>> 59 6099.3 Liberty ID-FF 1.2 61---------------------- 62 6399.3.1 liberty-idff-protocols-schema-1.2 (ff12) 64~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 65 66<<schema: 67<<sg/liberty-idff-protocols-schema-1.2-errata-v2.0.sg>> 68>> 69 7099.3.2 liberty-metadata-v2.0 (m20) 71~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 72 73<<schema: 74<<sg/liberty-metadata-v2.0.sg>> 75>> 76 7799.3.3 liberty-authentication-context-v2.0 (ac) 78~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 79 80<<schema: 81<<sg/liberty-authentication-context-v2.0.sg>> 82>> 83 8499.4 Liberty ID-WSF 1.1 85----------------------- 86 8799.4.1 liberty-idwsf-soap-binding-v1.2 (b12) 88~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 89 90<<schema: 91<<sg/liberty-idwsf-soap-binding-v1.2.sg>> 92>> 93 9499.4.2 liberty-idwsf-security-mechanisms-v1.2 (sec12) 95~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 97<<schema: 98<<sg/liberty-idwsf-security-mechanisms-v1.2.sg>> 99>> 100 10199.4.3 liberty-idwsf-disco-svc-v1.2 (di12) 102~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 103 104<<schema: 105<<sg/liberty-idwsf-disco-svc-v1.2.sg>> 106>> 107 10899.4.5 liberty-idwsf-interaction-svc-v1.1 (is12) 109~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 110 111<<schema: 112<<sg/liberty-idwsf-interaction-svc-v1.1.sg>> 113>> 114 11599.5 Liberty ID-WSF 2.0 116----------------------- 117 11899.5.1 liberty-idwsf-utility-v2.0 (lu) 119~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 120 121<<schema: 122<<sg/liberty-idwsf-utility-v2.0.sg>> 123>> 124 12599.5.2 liberty-idwsf-soap-binding (no version, sbf) 126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 127 128<<schema: 129<<sg/liberty-idwsf-soap-binding.sg>> 130>> 131 13299.5.3 liberty-idwsf-soap-binding-v2.0 (b) 133~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 134 135<<schema: 136<<sg/liberty-idwsf-soap-binding-v2.0.sg>> 137>> 138 13999.5.4 liberty-idwsf-security-mechanisms-v2.0 (sec) 140~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 141 142<<schema: 143<<sg/liberty-idwsf-security-mechanisms-v2.0.sg>> 144>> 145 14699.5.5 liberty-idwsf-disco-svc-v2.0 (di) 147~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 148 149<<schema: 150<<sg/liberty-idwsf-disco-svc-v2.0.sg>> 151>> 152 15399.5.6 liberty-idwsf-interaction-svc-v2.0 (is) 154~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 155 156<<schema: 157<<sg/liberty-idwsf-interaction-svc-v2.0.sg>> 158>> 159 16099.5.7 id-dap (dap) 161~~~~~~~~~~~~~~~~~~~ 162 163<<schema: 164<<sg/id-dap.sg>> 165>> 166 16799.5.8 liberty-idwsf-subs-v1.0 (subs) 168~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 169 170<<schema: 171<<sg/liberty-idwsf-subs-v1.0.sg>> 172>> 173 17499.5.9 liberty-idwsf-dst-v2.1 (dst) 175~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 176 177<<schema: 178<<sg/liberty-idwsf-dst-v2.1.sg>> 179>> 180 18199.5.10 liberty-idwsf-idmapping-svc-v2.0 (im) 182~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 183 184<<schema: 185<<sg/liberty-idwsf-idmapping-svc-v2.0.sg>> 186>> 187 18899.5.11 liberty-idwsf-people-service-v1.0 (ps) 189~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 190 191<<schema: 192<<sg/liberty-idwsf-people-service-v1.0.sg>> 193>> 194 19599.5.12 liberty-idwsf-authn-svc-v2.0 (as) 196~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 197 198<<schema: 199<<sg/liberty-idwsf-authn-svc-v2.0.sg>> 200>> 201 20299.6 SOAP 1.1 Processors 203------------------------ 204 20599.6.2 wsf-soap11 (e) 206~~~~~~~~~~~~~~~~~~~~~ 207 208<<schema: 209<<sg/wsf-soap11.sg>> 210>> 211 21299.7 XML and Web Services Infrastructure 213---------------------------------------- 214 21599.7.1 xmldsig-core (ds) 216~~~~~~~~~~~~~~~~~~~~~~~~ 217 218<<schema: 219<<sg/xmldsig-core.sg>> 220>> 221 22299.7.2 xenc-schema (xenc) 223~~~~~~~~~~~~~~~~~~~~~~~~~ 224 225<<schema: 226<<sg/xenc-schema.sg>> 227>> 228 22999.7.3 ws-addr-1.0 (a) 230~~~~~~~~~~~~~~~~~~~~~~ 231 232<<schema: 233<<sg/ws-addr-1.0.sg>> 234>> 235 23699.7.4 wss-secext-1.0 (wsse) 237~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 238 239<<schema: 240<<sg/wss-secext-1.0.sg>> 241>> 242 24399.7.5 wss-util-1.0 (wsu) 244~~~~~~~~~~~~~~~~~~~~~~~~~ 245 246<<schema: 247<<sg/wss-util-1.0.sg>> 248>> 249 250100 Appendix: Some Example XML Blobs 251==================================== 252 253These XML blobs are for reference. They have been pretty 254printed. Indentation indicates nesting level and closing tags have 255been abbreviated as "</>". The actual XML on wire generally does not 256have any whitespace. 257 258100.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps 259------------------------------------------------------------------------------- 260 261This example corresponds to t/sso-w-bootstraps.xml in the distribution. 262 263Both bootstraps illustrate SAML assertion as bearer token. 264 265 <soap:Envelope 266 xmlns:lib="urn:liberty:iff:2003-08" 267 xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 268 xmlns:wsa="http://www.w3.org/2005/08/addressing"> 269 <soap:Body> 270 271 <sp:ArtifactResponse 272 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" 273 ID="REvgoIIlkzTmk-aIX6tKE" 274 InResponseTo="RfAsltVf2" 275 IssueInstant="2007-02-10T05:38:15Z" 276 Version="2.0"> 277 <sa:Issuer 278 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 279 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 280 https://a-idp.liberty-iop.org:8881/idp.xml</> 281 <sp:Status> 282 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></> 283 284 <sp:Response 285 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" 286 ID="RCCzu13z77SiSXqsFp1u1" 287 InResponseTo="NojFIIhxw" 288 IssueInstant="2007-02-10T05:37:42Z" 289 Version="2.0"> 290 <sa:Issuer 291 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 292 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 293 https://a-idp.liberty-iop.org:8881/idp.xml</> 294 <sp:Status> 295 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></> 296 297 <sa:Assertion 298 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 299 ID="ASSE6bgfaV-sapQsAilXOvBu" 300 IssueInstant="2007-02-10T05:37:42Z" 301 Version="2.0"> 302 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 303 https://a-idp.liberty-iop.org:8881/idp.xml</> 304 305 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 306 <ds:SignedInfo> 307 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 308 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 309 <ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu"> 310 <ds:Transforms> 311 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 312 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 313 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 314 <ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></> 315 <ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></> 316 317 <sa:Subject> 318 <sa:NameID 319 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 320 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</> 321 <sa:SubjectConfirmation 322 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 323 <sa:SubjectConfirmationData 324 NotOnOrAfter="2007-02-10T06:37:41Z" 325 Recipient="https://sp1.zxidsp.org:8443/zxidhlo"/></></> 326 327 <sa:Conditions 328 NotBefore="2007-02-10T05:32:42Z" 329 NotOnOrAfter="2007-02-10T06:37:42Z"> 330 <sa:AudienceRestriction> 331 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></> 332 333 <sa:Advice> 334 335 <!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). --> 336 337 <sa:Assertion 338 ID="CREDOTGAkvhNoP1aiTq4bXBg" 339 IssueInstant="2007-02-10T05:37:42Z" 340 Version="2.0"> 341 <sa:Issuer 342 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 343 https://a-idp.liberty-iop.org:8881/idp.xml</> 344 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 345 <ds:SignedInfo> 346 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 347 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 348 <ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg"> 349 <ds:Transforms> 350 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 351 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 352 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 353 <ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></> 354 <ds:SignatureValue>UKlEgHKQwuoCE=</></> 355 <sa:Subject> 356 <sa:NameID/> <!-- *** Bug here!!! --> 357 <sa:SubjectConfirmation 358 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 359 <sa:Conditions 360 NotBefore="2007-02-10T05:32:42Z" 361 NotOnOrAfter="2007-02-10T06:37:42Z"> 362 <sa:AudienceRestriction> 363 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></> 364 365 <sa:AuthnStatement 366 AuthnInstant="2007-02-10T05:37:42Z" 367 SessionIndex="1171085858-4"> 368 <sa:AuthnContext> 369 <sa:AuthnContextClassRef> 370 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></> 371 372 <sa:AttributeStatement> 373 374 <!-- Regular attribute --> 375 376 <sa:Attribute 377 Name="cn" 378 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 379 <sa:AttributeValue>Sue</></> 380 381 <!-- ID-WSF 1.1 Bootstrap for discover. See also the Advice, above. --> 382 383 <sa:Attribute 384 Name="DiscoveryResourceOffering" 385 NameFormat="urn:liberty:disco:2003-08"> 386 <sa:AttributeValue> 387 <disco:ResourceOffering 388 xmlns:disco="urn:liberty:disco:2003-08" 389 entryID="2"> 390 <disco:ResourceID> 391 https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</> 392 <disco:ServiceInstance> 393 <disco:ServiceType>urn:liberty:disco:2003-08</> 394 <disco:ProviderID> 395 https://a-idp.liberty-iop.org:8881/idp.xml</> 396 <disco:Description> 397 <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</> 398 <disco:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</> 399 <disco:Endpoint> 400 https://a-idp.liberty-iop.org:8881/DISCO-S</></></> 401 <disco:Abstract>Symlabs Discovery Service Team G</></></></> 402 403 <!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. --> 404 405 <sa:Attribute 406 Name="urn:liberty:disco:2006-08:DiscoveryEPR" 407 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> 408 <sa:AttributeValue> 409 <wsa:EndpointReference 410 xmlns:wsa="http://www.w3.org/2005/08/addressing" 411 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 412 notOnOrAfter="2007-02-10T07:37:42Z" 413 wsu:Id="EPRIDcjP8ObO9In47SDjO9b37"> 414 <wsa:Address> 415 https://a-idp.liberty-iop.org:8881/DISCO-S</> 416 <wsa:Metadata> 417 <disco:Abstract 418 xmlns:disco="urn:liberty:disco:2006-08">SYMfiam Discovery Service</> 419 <sbf:Framework 420 xmlns:sbf="urn:liberty:sb" 421 version="2.0"/> 422 <disco:ProviderID 423 xmlns:disco="urn:liberty:disco:2006-08"> 424 https://a-idp.liberty-iop.org:8881/idp.xml</> 425 <disco:ServiceType 426 xmlns:disco="urn:liberty:disco:2006-08">urn:liberty:disco:2006-08</> 427 <disco:SecurityContext 428 xmlns:disco="urn:liberty:disco:2006-08"> 429 <disco:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</> 430 431 <sec:Token 432 xmlns:sec="urn:liberty:security:2006-08" 433 usage="urn:liberty:security:tokenusage:2006-08:SecurityToken"> 434 435 <sa:Assertion 436 ID="CREDV6ZBMyicmyvDq9pLIoSR" 437 IssueInstant="2007-02-10T05:37:42Z" 438 Version="2.0"> 439 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 440 https://a-idp.liberty-iop.org:8881/idp.xml</> 441 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 442 <ds:SignedInfo> 443 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 444 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 445 <ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR"> 446 <ds:Transforms> 447 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 448 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 449 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 450 <ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></> 451 <ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></> 452 <sa:Subject> 453 <sa:NameID 454 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 455 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml"> 456 9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</> 457 <sa:SubjectConfirmation 458 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 459 <sa:Conditions 460 NotBefore="2007-02-10T05:32:42Z" 461 NotOnOrAfter="2007-02-10T06:37:42Z"> 462 <sa:AudienceRestriction> 463 <sa:Audience> 464 https://a-idp.liberty-iop.org:8881/idp.xml</></></> 465 <sa:AuthnStatement 466 AuthnInstant="2007-02-10T05:37:42Z"> 467 <sa:AuthnContext> 468 <sa:AuthnContextClassRef> 469 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></> 470 471100.2 ID-WSF 2.0 Call with X509v3 Sec Mech 472------------------------------------------ 473 474 <e:Envelope 475 xmlns:e="http://schemas.xmlsoap.org /soap/envelope/" 476 xmlns:b="urn:liberty:sb:2005-11" 477 xmlns:sec="urn:liberty:security:2005-11" 478 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 479 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd" 480 xmlns:wsa="http://www.w3.org/2005/08/ addressing"> 481 <e:Header> 482 <wsa:MessageID wsu:Id="MID">123</> 483 <wsa:To wsu:Id="TO">...</> 484 <wsa:Action wsu:Id="ACT">...</> 485 <wsse:Security mustUnderstand="1"> 486 <wsu:Timestamp wsu:Id="TS"><wsu:Created>2005-06-17T04:49:17Z</></> 487 <wsse:BinarySecurityToken 488 ValueType="http://docs.oasis-open.org/wss/2004/0 1/oasis-200401-wss-x509-token-profile-1.0#X509v3" 489 wsu:Id="X509Token" 490 EncodingType="http://docs.oas is-open.org/wss/2004/01/oasis- 200401-wss-soap-message-securiy-1.0#Base64Binary"> 491 MIIB9zCCAWSgAwIBAgIQ...</> 492 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/x mldsig#"> 493 <ds:SignedInfo> 494 <ds:Reference URI="#MID">...</> 495 <ds:Reference URI="#TO">...</> 496 <ds:Reference URI="#ACT">...</> 497 <ds:Reference URI="#TS">...</> 498 <ds:Reference URI="#X509"> 499 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 500 <ds:DigestValue>Ru4cAfeBAB</></> 501 <ds:Reference URI="#BDY"> 502 <ds:DigestMethod Algorithm="http://www.w3.org/ 2000/09/xmldsig#sha1"/> 503 <ds:DigestValue>YgGfS0pi56p</></></> 504 <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509"/></></> 505 <ds:SignatureValue>HJJWbvqW9E84vJVQkjDElgscSXZ5Ekw==</></></></> 506 <e:Body wsu:Id="BDY"> 507 <xx:Query/></></> 508 509The salient features of the above XML blob are 510 511* Signature that covers relevant SOAP headers and Body 512* Absence of any explicit identity token. 513 514Absence of identity token means that from the headers it is not 515possible to identify the taget identity. The signature generally 516coveys the Invoker identity (the WSC that is calling the 517service). Since one WSC typically serves many principals, knowing 518which is impossible. For this reason X509 security mechanism is 519seldom used in ID-WSF 2.0 world (with ID-WSF 1.1 the ResourceID 520provides an alternative way of identifying the principal, thus making 521X509 a viable option). 522 523100.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech 524--------------------------------------------------- 525 526 <e:Envelope 527 xmlns:e="http://schemas.xmlsoap.org /soap/envelope/" 528 xmlns:b="urn:liberty:sb:2005-11" 529 xmlns:sec="urn:liberty:security:2005-11" 530 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 531 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd" 532 xmlns:wsa="http://www.w3.org/2005/03/ addressing"> 533 <e:Header> 534 <wsa:MessageID wsu:Id="MID">...</> 535 <wsa:To wsu:Id="TO">...</> 536 <wsa:Action wsu:Id="ACT">...</> 537 <wsse:Security mustUnderstand="1"> 538 <wsu:Timestamp wsu:Id="TS"> 539 <wsu:Created>2005-06-17T04:49:17Z</></> 540 <wsse:BinarySecurityToken 541 ValueType="anyNSPrefix:ServiceSess ionContext" 542 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64 Binary" 543 wsu:Id="BST"> 544 mQEMAzRniWkAAAEH9RWir0eKDkyFAB7PoFazx3ftp0vWwbbzqXdgcX8fpEqSr1v4 545 YqUc7OMiJcBtKBp3+jlD4HPUaurIqHA0vrdmMpM+sF2BnpND118f/mXCv3XbWhiL 546 VT4r9ytfpXBluelOV93X8RUz4ecZcDm9e+IEG+pQjnvgrSgac1NrW5K/CJEOUUjh 547 oGTrym0Ziutezhrw/gOeLVtkywsMgDr77gWZxRvw01w1ogtUdTceuRBIDANj+KVZ 548 vLKlTCaGAUNIjkiDDgti=</> 549 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #"> 550 <ds:SignedInfo> 551 <ds:Reference URI="#MID">...</> 552 <ds:Reference URI="#TO">...</> 553 <ds:Reference URI="#ACT">...</> 554 <ds:Reference URI="#TS">...</> 555 <ds:Reference URI="#BST">...</> 556 <ds:Reference URI="#BDY"> 557 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/> 558 <ds:DigestValue>YgGfS0pi56pu</></></> 559 ...</></></> 560 <e:Body wsu:Id="BDY"> 561 <xx:Query/></></> 562 563100.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech 564------------------------------------------------- 565 566 <e:Envelope 567 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/" 568 xmlns:sb="urn:liberty:sb:2005-11" 569 xmlns:sec="urn:liberty:security:2005-11" 570 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 571 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 572 xmlns:wsa="http://www.w3.org/2005/08/addressing" 573 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 574 xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 575 <e:Header> 576 <wsa:MessageID wsu:Id="MID">...</> 577 <wsa:To wsu:Id="TO">...</> 578 <wsa:Action wsu:Id="ACT">...</> 579 <wsse:Security mustUnderstand="1"> 580 <wsu:Timestamp wsu:Id="TS"> 581 <wsu:Created>2005-06-17T04:49:17Z</></> 582 583 <sa:Assertion 584 xmlns:sa="urn:oasis:names:tc:SAML:2. 0:assertion" 585 Version="2.0" 586 ID="A7N123" 587 IssueInstant="2005-04-01T16:58:33.173Z"> 588 <sa:Issuer>http://idp.symdemo.com/</> 589 <ds:Signature>...</> 590 <sa:Subject> 591 <sa:EncryptedID> 592 <xenc:EncryptedData>U2XTCNvRX7 Bl1NK182nmY00TEk==</> 593 <xenc:EncryptedKey>...</></> 594 <sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></> 595 <sa:Conditions 596 NotBefore="2005-04-01T16:57:20Z" 597 NotOnOrAfter="2005-04-01T21:42:4 3Z"> 598 <sa:AudienceRestrictionCondition> 599 <sa:Audience>http://wsp.zxidsp.org</></></> 600 <sa:AuthnStatement 601 AuthnInstant="2005-04-01T16:57:30.000Z" 602 SessionIndex="6345789"> 603 <sa:AuthnContext> 604 <sa:AuthnContextClassRef> 605 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></></> 606 <sa:AttributeStatement> 607 <sa:EncryptedAttribute> 608 <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"> 609 mQEMAzRniWkAAAEH9RbzqXdgcX8fpEqSr1v4=</> 610 <xenc:EncryptedKey>...</></></></> 611 612 <wsse:SecurityTokenReference 613 xmlns:wsse11="..." 614 wsu:Id="STR1" 615 wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"> 616 <wsse:KeyIdentifier 617 ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"> 618 A7N123</></> 619 620 <ds:Signature> 621 <ds:SignedInfo> 622 <ds:Reference URI="#MID">...</> 623 <ds:Reference URI="#TO">...</> 624 <ds:Reference URI="#ACT">...</> 625 <ds:Reference URI="#TS">...</> 626 <ds:Reference URI="#STR1"> 627 <ds:Transform Algorithm="...#STR-Transform"> 628 <wsse:TransformationParameters> 629 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></></></> 630 <ds:Reference URI="#BDY"/></> 631 ...</></></> 632 <e:Body wsu:Id="BDY"> 633 <xx:Query/></></> 634 635*** is the reference above to wsse11:TokenType really correct? 636 637Note who the <Subject> and the attributes are encrypted such that only 638the WSP can open them. This protects against WSC gaining knowledge of 639the NameID at the WSP. 640 641100.5 XACML 2.0 SAML Profile SOAP Call 642-------------------------------------- 643 644 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"> 645 <e:Body> 646 <xasp:XACMLAuthzDecisionQuery 647 xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os" 648 ID="RX3eHFSEBW6-OnPG5sGV_EevU" 649 IssueInstant="2009-09-07T21:28:05Z" 650 Version="2.0"> 651 <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://sp1.zxidsp.org:5443/protected/saml?o=B</> 652 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 653 <ds:SignedInfo> 654 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 655 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 656 <ds:Reference URI="#RX3eHFSEBW6-OnPG5sGV_EevU"> 657 <ds:Transforms> 658 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 659 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 660 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 661 <ds:DigestValue>F2r41OppQA2ZLsosLO6V9VNJ0J8=</></></> 662 <ds:SignatureValue>sAvByKH9--(snip)--HV+1oqcdUw=</></> 663 <xac:Request xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os"> 664 <xac:Subject> 665 <xac:Attribute 666 AttributeId="permisRole" 667 DataType="xs:string" 668 Issuer="https://idp.tas3.pt:8443/zxididp?o=B"> 669 <xac:AttributeValue>guest</></> 670 <xac:Attribute 671 AttributeId="permisRole" 672 DataType="xs:string" 673 Issuer="https://idp.tas3.pt:8443/zxididp?o=B"> 674 <xac:AttributeValue>jesterbester</></> 675 <xac:Attribute 676 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 677 DataType="xs:string"> 678 <xac:AttributeValue>FdGaMOmtJPfvK9dN64lWgKTOp</></></> 679 <xac:Resource> 680 <xac:Attribute 681 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 682 DataType="xs:string"> 683 <xac:AttributeValue>/protected/env.cgi</></></> 684 <xac:Action> 685 <xac:Attribute 686 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 687 DataType="xs:string"> 688 <xac:AttributeValue>urn:oasis:names:tc:xacml:1.0:action:implied-action</></></> 689 <xac:Environment> 690 <xac:Attribute 691 AttributeId="zxididp" 692 DataType="xs:string" 693 Issuer="https://idp.tas3.pt:8443/zxididp?o=B"> 694 <xac:AttributeValue>0.33 1251217347</></> 695 <xac:Attribute 696 AttributeId="affid" 697 DataType="xs:string"> 698 <xac:AttributeValue>https://idp.tas3.pt:8443/zxididp?o=B</></> 699 <xac:Attribute 700 AttributeId="authnctxlevel" 701 DataType="xs:string"> 702 <xac:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></> 703 <xac:Attribute 704 AttributeId="sesid" 705 DataType="xs:string"> 706 <xac:AttributeValue>S6QaJzAylXfkw1tFlrZSD9Zwr</></></></></></></> 707 708 709 <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"> 710 <e:Body> 711 <sp:Response 712 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" 713 ID="R-Dn3MxxJ0xo7jjOeVpC1aezO" 714 InResponseTo="RX3eHFSEBW6-OnPG5sGV_EevU" 715 IssueInstant="2009-09-07T18:48:03Z" 716 Version="2.0"> 717 <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.tas3.pt:8443/zxididp?o=B</> 718 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 719 <ds:SignedInfo> 720 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 721 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 722 <ds:Reference URI="#R-Dn3MxxJ0xo7jjOeVpC1aezO"> 723 <ds:Transforms> 724 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 725 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></> 726 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 727 <ds:DigestValue>jdBsc0wOvJsBJCCc4eyq1bnG1u4=</></></> 728 <ds:SignatureValue>AZyw2fK5--(snip)--UTOSSov7kc=</></> 729 <sp:Status> 730 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></> 731 <sa:Assertion 732 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion" 733 ID="A73VuYGSDQ8MI-TUNk8PORrZT" 734 IssueInstant="2009-09-07T18:48:03Z" 735 Version="2.0"> 736 <sa:Issuer>https://idp.tas3.pt:8443/zxididp?o=B</> 737 <sa:Conditions 738 NotBefore="2009-09-07T18:48:03Z" 739 NotOnOrAfter="2009-09-07T19:48:03Z"/> 740 <xasa:XACMLAuthzDecisionStatement xmlns:xasa="urn:oasis:xacml:2.0:saml:assertion:schema:os"> 741 <xac:Response xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os"> 742 <xac:Result> 743 <xac:Decision>Permit</> 744 <xac:Status> 745 <xac:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></></></></></></></></> 746 747 748<<htmlpreamble: <title>ZXID Schemata</title><body bgcolor="#330033" text="#ffaaff" link="#ffddff" vlink="#aa44aa" alink="#ffffff"><font face=sans><h1>ZXID Schemata</h1> >> 749 750<<if: ZXIDBOOK>> 751<<else: >><<EOF: >> 752<<fi: >> 753