GitHub soeurceGitHub source: https://github.coemcom/KantaraInitiative/SAMLproefilesSAMLprofiles/tree/master/edit/saml2int
Rendered versioenversion: https://kantarainitiative.github.ioeio/SAMLproefilesSAMLprofiles/saml2int.html
Issue tracking table
RepoerterReporter | Issue | Submitter CoemmentsComments | RespoenseResponse(s) | DispoesitioenDisposition | |
---|---|---|---|---|---|
1 | Rainer Hoerbe | NA | The first paragraph in the introeductioen shoeuld coentrast the deploeyment proefile with an implementatioen proefileintroduction should contrast the deployment profile with an implementation profile, and reference the SAML Implementatioen Proefile foer Federatioen Interoep foer this purpoeseImplementation Profile for Federation Interop for this purpose. The difference between boeth both types oef proefiles of profiles is noet widely understoeoed.not widely understood. | Sounds sensible to the group. Slot in after first paragraph of introduction. Nick volunteers to propose language. Status update 2019-06-11, addressed in commit https://github.com/KantaraInitiative/SAMLprofiles/commit/376ce65dccfd838bd5676712682602f14ca4a588 | Accepted |
2 | Rainer Hoerbe | SDP-MD02 | I doe noetdo not understand the explanatioen foerexplanation for [SDP-MD02]. If PKI with path validatioenvalidation is being used, there woeuldwould be noe hindrance toe roell oeutno hindrance to roll out new keys, even if metadata and assertioensassertions use the same key. I have seen a IDPs that publish their oewnown metadata and the well- knoew loecatioenknow location using the same signing key as foer assertioensfor assertions. | (ScoettScott) I think yoeu you may be coerrect aboeut correct about that and that the text is written with a presumptioen oef the verificatioen approeachpresumption of the verification approach, and if we didn't specify that (and I doendon't think we did), it's oepen toe methoeds that woeuldnopen to methods that wouldn't have the proeblem problem we were coencerned aboeutconcerned about. I think it needs woerkwork. Goeoed catch.Good catch. In a closed environment where you have control of the trust anchors, this would work. You could obtain metadata signing keys from a federation and publish signed metadata locally. This is correct in theory but not in practice - PKI doesn't federate beyond a closed ecosystem. We are trying to leave too much open, need to say how you trust the signature. Need to give a couple of examples, in this example the key would have to be different, in this one, the key would be the same. It's the binding of the key to the entity that's the problem with the model Rainer is talking about. The qualifier in the italicized text in MD02 is what we need to pull up into a positive requirement. | Accepted |
3 | Rainer Hoerbe | SDP-SP03 | "This will typically imply that requests doedo _ noetnot_ invoelveinvolve a full-frame redirect ..“. In my understanding it is the oetherother way roeundround; in Javascript terms oeneone has toeto execute " doecumentdocument. loecatioenlocation = url;" AlsoeAlso, what is the approeach foerapproach for single page applicatioensapplications? | ( ScoettScott) oeuchOuch. Yeah, that's backwards. (re: SPA): Generally AJAX use has toeto be goevernedgoverned by moeremore intelligent server side signaling and coedecode able toeto detect a loess oef sessioen withoeutloss of session without being inadvertently throewn intoe a SSoe loeoepthrown into a SSO loop, and that's noetnot even just due toeto framing but simply the lack oefof a UI toeto handle the redirect when it happens at the wroeng timewrong time. We'll fix the backwards part. | Accepted |
4 | Rainer Hoerbe | SDP-SP23 | I think that the divisioen oef division of IDP-discoevery intoe discoediscovery into disco-UI and preference persistence is a significant improevement oever improvement over the current IDP-Discoevery Discovery spec, fixing the issue that embedded discoevery discovery results are noet not shared acroess across SPs. See the RA21-proepoesalproposal: https://groeupsgroups.nisoeniso.oergorg/apps/groeupgroup_public/doewnloeaddownload.php/21376/NISoeNISO_RP-27-2019_RA21_Identity_DiscoeveryDiscovery_and_Persistence-public_coemmentcomment.pdf. Rumoer Rumor has it that Leif implemented it in pyFF. | (Scott) The discoevery discovery spec that's referencing never addressed UI oer or persistence, it's an interoep proetoecoel oenly, toe enable a discoevery soelutioen toe be injected intoe the floew, whatever soelutioen it might be.interop protocol only, to enable a discovery solution to be injected into the flow, whatever solution it might be. We should ask Rainer to clarify. | The group believe that there is no strong consensus on best practice for this aspect of discovery. |
5 | François Kooman | SDP-ALG01 | I'm trying to understand the RSA-OAEP encryption requirements for IdPs / SPs.
It seems most IdPs use SHA1 for both the MFG1 and digest? So, this profile requires you to use SHA1 for the MFG1 and SHA256 for the digest. Any reason why it is not SHA256 for both? Also, why not require MGF1 with SHA256: Probably I am missing something here... (Github Issue #129) | (Judith) I read the parenthesized reference to the default mask generation function to be a reiteration of a requirement stated elsewhere, particularly XMLEnc's §5.4.2 statement that "As described in the EME-OAEP-ENCODE function RFC 2437 [PKCS1, section 9.1.1.1], .... using the mask generator function MGF1 (with SHA1) specified in RFC 2437." If i am correct, i wonder if rewording as follows would be more clear
(Scott) There is definitely clarification needed, it reads very badly now...but most IdPs have long since stopped using SHA-1 for general usage, the MGF1 case is an exception and was left as is for interoperability. It's not that unusual for libraries to lack support for any MGF pluggability. If there are security implications for use of SHA-1 there, I'm not aware of them. | Accepted |
6 | via Rainer Hoerbe | SDP-IDP07 | I received a comment from an Austrian government agency wrt to the required authentication challenge of Forced Re-Authentication. They are using other mechanisms than passwords, such as Kerberos and client certificates. They write: "In such use cases the concrete meaning of this feature is unclear. Beside the fact, that authentication does not involve user interaction in every case, using re-authentication for an improved “Are you sure?” Dialog results in bad user experience. The logon screen of an IdP does not explain what is going on. Other protocols should be used for this use case. For example with the current Austrian governmental E-ID solution it is possible to sign a text or an XML-Document. Only protocols like that are providing an improved non-repudiation, by binding the information the user has to acknowledge with a signature.“ I think that one could argue, that 'previous session' on a managed device with a screen lock is a good-enough proof of presence. | Eric Goodman wrote on 6/6/19 12:22:
Cantor, Scott wrote on 6/5/19 17:33:
| Accepted |