<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: OpenID Signed Assertions 1.0 - Draft 01</title>
<meta http-equiv="Expires" content="Mon, 04 Dec 2006 00:24:18 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Signed Assertions 1.0 - Draft 01">
<meta name="generator" content="xml2rfc v1.31 (http://xml.resource.org/)">
<style type='text/css'><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.full td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">D. Hardt</td></tr>
<tr><td class="header"> </td><td class="header">Sxip Identity</td></tr>
<tr><td class="header"> </td><td class="header">November 2006</td></tr>
</table></td></tr></table>
<h1><br />OpenID Signed Assertions 1.0 - Draft 01</h1>
<h3>Abstract</h3>
<p>
This document describes a SAML assertion schema extension for
encoding third-party attested attribute value claims as
OpenID attributes for use with the OpenID Attribute eXchange
service.
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Introduction<br />
<a href="#anchor2">2.</a>
Terminology<br />
<a href="#anchor3">2.1.</a>
Definitions and Conventions<br />
<a href="#anchor4">3.</a>
SAML Introduction<br />
<a href="#anchor5">3.1.</a>
SAML Assertions<br />
<a href="#anchor6">4.</a>
Employing SAML in OpenID<br />
<a href="#anchor7">4.1.</a>
Assertion Attributes<br />
<a href="#saml-attribute">5.</a>
OpenID SAML Attribute Profile<br />
<a href="#anchor8">5.1.</a>
Required Information<br />
<a href="#anchor9">5.2.</a>
SAML Attribute Naming<br />
<a href="#anchor10">5.3.</a>
Profile-Specific XML Attributes<br />
<a href="#anchor11">5.4.</a>
SAML Attribute Values<br />
<a href="#anchor12">5.5.</a>
Example<br />
<a href="#saml-assertion">6.</a>
Assertion Schema Extension<br />
<a href="#anchor13">6.1.</a>
Element openid:Assertion<br />
<a href="#anchor14">6.1.1.</a>
Element saml:Assertion<br />
<a href="#assertion-schema">7.</a>
OpenID Assertion Schema<br />
<a href="#refresh">8.</a>
Refreshing an Assertion<br />
<a href="#example-assertion">9.</a>
Example Signed SAML Assertion<br />
<a href="#anchor19">10.</a>
Security Considerations<br />
<a href="#anchor20">11.</a>
Acknowledgements<br />
<a href="#rfc.references1">12.</a>
References<br />
<a href="#rfc.references1">12.1.</a>
Normative References<br />
<a href="#rfc.references2">12.2.</a>
Informative References<br />
<a href="#rfc.authors">§</a>
Author's Address<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Introduction</h3>
<p>
This document specifies an assertion schema extension of the
Security Assertion Markup Language (SAML) V2.0 called 'OpenID
Signed Assertions', for use with the OpenID <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 10,” August 2006.</span><span>)</span></a> Attribute eXchange
service <a class='info' href='#OpenID.attribute-exchange-1.0'>[OpenID.attribute‑exchange‑1.0]<span> (</span><span class='info'>Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006.</span><span>)</span></a>.
</p>
<p>
Security Assertion Markup Language (SAML) v2.0, "SAMLv2", is
an XML-based framework for creating and exchanging security
information. The SAMLv2 specification set is normatively
defined by <a class='info' href='#OASIS.saml-conformance-2.0-os'>[OASIS.saml‑conformance‑2.0‑os]<span> (</span><span class='info'>Mishra, P., Philpott, R., and E. Maler, “Conformance Requirements for the Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Terminology</h3>
<p>
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as
described in <a class='info' href='#RFC2119'>[RFC2119]<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a>.
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2.1"></a><h3>2.1.
Definitions and Conventions</h3>
<p>
[NOTE: Update terminology based on final OpenID 2.0 draft.]
</p>
<p>
In this specification, the term, or term component,
"SAML" refers to SAML V2.0 in all cases. For
example, the term "SAML assertion" implicitly
means "SAMLv2 assertion".
</p>
<p>
For overall SAML terminology, see <a class='info' href='#OASIS.saml-glossary-2.0-os'>[OASIS.saml‑glossary‑2.0‑os]<span> (</span><span class='info'>Hodges, J., Philpott, R., and E. Maler, “Glossary for the Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<p>
Conventional XML namespace prefixes are used throughout this
specification to stand for their respective namespaces as
follows, whether or not a namespace declaration is present
in the example:
</p>
<blockquote class="text"><dl>
<dt>Prefix: openid</dt>
<dd>
XML Namespace: http://openid.net/xmlns/2.0.
</dd>
<dt>Prefix: ds</dt>
<dd>
XML Namespace: http://www.w3.org/2000/09/xmldsig#. This
namespace is defined in the XML Signature Syntax and
Processing specification <a class='info' href='#W3C.REC-xmldsig-core-20020212'>[W3C.REC‑xmldsig‑core‑20020212]<span> (</span><span class='info'>Solo, D., Eastlake, D., and J. Reagle, “XML-Signature Syntax and Processing,” February 2002.</span><span>)</span></a> and its governing schema.
</dd>
<dt>Prefix: saml</dt>
<dd>
XML Namespace: urn:oasis:names:tc:SAML:2.0:assertion.
This is the SAML V2.0 assertion namespace <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</dd>
</dl></blockquote><p>
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
SAML Introduction</h3>
<p>
SAML <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a> defines an
XML-based framework for exchanging "security
assertions" between entities.
</p>
<p>
SAML can be employed to make and encode statements such as
"Beth has these profile attributes and her domain's
certificate is available over there, and I'm making this
statement, and here's who I am."
</p>
<p>
A SAML assertion profile is the specification of the assertion
schema extension in the context of a particular SAML profile.
It is possibly further qualified by a particular
implementation and/or deployment context. Condensed examples
of SAML assertion profiles are:
</p>
<ul class="text">
<li>
The SAML assertion must contain at least one
authentication statement and no other statements. The
relying party must be represented in the
<AudienceRestriction> element. The
SubjectConfirmation Method must be Foo. etc.
</li>
<li>
The SAML assertion must contain at least one attribute
statement and may contain more than one. The values for
the subject's profile attributes named "Foo" and
"Bar" must be present. An authentication
statement may be present. etc.
</li>
</ul><p>
</p>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1"></a><h3>3.1.
SAML Assertions</h3>
<p>
A SAML assertion is a package of information including
issuer and subject, conditions and advice, and/or attribute
statements, and/or authentication statements and/or other
statements. Statements may or may not be present. The SAML
assertion "container" itself contains the following
information:
</p>
<blockquote class="text"><dl>
<dt>Issuing information:</dt>
<dd>
Who issued the assertion, when was it issued and the
assertion identifier.
</dd>
<dt>Subject information:</dt>
<dd>
The name of the subject, the security domain and
optional subject information, like public key.
</dd>
<dt>Conditions under which the assertion is valid:</dt>
<dd>
Special kind of conditions like assertion validity
period, audience restriction and target restriction.
</dd>
<dt>Additional advice:</dt>
<dd>
Explaining how the assertion was made, for example.
</dd>
</dl></blockquote><p>
</p>
<p>
In terms of SAML assertions containing SAML attribute
statements, here is an explanatory example:
</p>
<blockquote class="text">
<p>
With a SAML assertion containing a SAML attribute
statement, an issuing authority is asserting that the
subject is associated with certain attributes with
certain subject profile attribute values. For example,
user <tt>http://www.home.com/beth</tt> is
associated with the attribute <tt>http://openid.net/schema/contact/internet/email</tt>,
which has the value <tt>beth@home.com</tt>.
</p>
</blockquote><p>
</p>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Employing SAML in OpenID</h3>
<p>
Employing SAML in OpenID necessitates devising a new SAML
Assertion Profile and a new SAML Attribute Profile because
those already specified in the SAMLv2 specification set are
specific to other use contexts and use cases. This does not
present any untoward difficulties due to SAML's inherent and
explicit extensibility.
</p>
<a name="anchor7"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.
Assertion Attributes</h3>
<p>
The OpenID attribute exchange service <a class='info' href='#OpenID.attribute-exchange-1.0'>[OpenID.attribute‑exchange‑1.0]<span> (</span><span class='info'>Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006.</span><span>)</span></a> is used to convey
SAML assertions within an OpenID protocol session. In
effect, a SAML assertion is used as an envelope to contain
conventional OpenID attribute value pairs. This envelope is
then assigned as a value for the SAML assertion attribute
type. An attribute value that contains a SAML assertion
MUST be base 64 <a class='info' href='#RFC3548'>[RFC3548]<span> (</span><span class='info'>Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” July 2003.</span><span>)</span></a> encoded.
</p>
<p>
Assertion attribute names MAY be any unique identifier as
outlined in <a class='info' href='#OpenID.attribute-exchange-1.0'>[OpenID.attribute‑exchange‑1.0]<span> (</span><span class='info'>Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006.</span><span>)</span></a>.
</p>
<a name="saml-attribute"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
OpenID SAML Attribute Profile</h3>
<p>
The OpenID Attribute Profile specifies how OpenID attributes
can be represented as SAML Attributes.
</p>
<p>
An OpenID attribute is an property value assertion that can
either be self asserted or asserted by a third party. An
example of a third party assertion would be a government
agency aserting that Beth is older than 21. This Attribute
Profile describes a OpenID attribute represented as a SAML
Assertion.
</p>
<a name="anchor8"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.1"></a><h3>5.1.
Required Information</h3>
<p>
The information given in this section is similar to the
information provided when registering something, a MIME
Media Type, say, with IANA. In this case, it is for
registering this profile with the OASIS SSTC. See section 2
"Specification of Additional Profiles" in <a class='info' href='#OASIS.saml-profiles-2.0-os'>[OASIS.saml‑profiles‑2.0‑os]<span> (</span><span class='info'>Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and E. Maler, “Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<p>
</p>
<blockquote class="text"><dl>
<dt>Identification:</dt>
<dd>
TBD: urn:openid:saml-profile:attribute or http://openid.net/saml-profile/attribute
</dd>
<dt>Contact Information:</dt>
<dd>
TBD: someone's or something's contact info goes here.
</dd>
<dt>Description:</dt>
<dd>
Given below.
</dd>
<dt>Updates:</dt>
<dd>
None.
</dd>
</dl></blockquote><p>
</p>
<a name="anchor9"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.2"></a><h3>5.2.
SAML Attribute Naming</h3>
<p>
The NameFormat XML attribute in <Attribute> must be
urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri. The
Name XML attribute MUST be the OpenID attribute name and
MUST adhere to the rules specified for that format. OpenID
attribute names are defined in <a class='info' href='#OpenID.attribute-exchange-1.0'>[OpenID.attribute‑exchange‑1.0]<span> (</span><span class='info'>Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006.</span><span>)</span></a>. SAML Attribute
Name formats are defined in <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<a name="anchor10"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.3"></a><h3>5.3.
Profile-Specific XML Attributes</h3>
<p>
No additional XML attributes are defined for use with the
<Attribute> element.
</p>
<a name="anchor11"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.4"></a><h3>5.4.
SAML Attribute Values</h3>
<p>
The <AttributeValue> MUST be the OpenID attribute
value, as defined in <a class='info' href='#OpenID.attribute-exchange-1.0'>[OpenID.attribute‑exchange‑1.0]<span> (</span><span class='info'>Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006.</span><span>)</span></a>.
</p>
<a name="anchor12"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.5"></a><h3>5.5.
Example</h3>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri"
Name="http://openid.net/schema/contact/internet/email">
<saml:AttributeValue>
beth@home.com
</saml:AttributeValue>
</saml:Attribute>
</pre></div>
<a name="saml-assertion"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.
Assertion Schema Extension</h3>
<p>
An OpenID attribute value may be asserted by the user or by a
third-party. Third-party asserted attribute values include
meta-data about the assertion in part to enable the recipient
to verify the validity of the assertion. There are multiple
possible ways of encoding a third-party assertion, and
multiple possible ways to verify them. A SAML Assertion is
one such encoding, and a digital signature is one verification
mechanism.
</p>
<p>
This section defines the particulars of how the sender,
i.e. the SAML Authority, constructs certain portions of the
SAML assertions it issues. The schema for SAML assertions
themselves is defined in Section 2.3 of <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<p>
An example SAML assertion, formulated according to this
profile is given in <a class='info' href='#example-assertion'>Section 9<span> (</span><span class='info'>Example Signed SAML Assertion</span><span>)</span></a>.
</p>
<p>
Overall SAML assertion profile requirements:
</p>
<blockquote class="text">
<p>
The SAML assertion MUST be signed by the same key as used
to sign the contents of the Identity header field. Signing
of SAML assertions is defined in section 5.4 of <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
</blockquote><p>
</p>
<p>
In the following subsections, the SAML assertion profile is
specified element-by-element, in a top-down, depth-first
manner, beginning with the outermost element,
"<OpenIDAssertion>". This specification
introduces the "<OpenIDAssertion>" element as
a wrapper around the SAML "<Assertion>"
element to add OpenID meta-data to the assertion. Where
applicable, the requirements for an element's XML attributes
are also stated, as a part of the element's description.
Requirements for any given element or XML attribute are only
stated when, in the context of use of this profile, they are
not already sufficiently defined by <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</p>
<a name="anchor13"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1"></a><h3>6.1.
Element openid:Assertion</h3>
<p>
</p>
<blockquote class="text"><dl>
<dt>Attribute openid:RefreshURL</dt>
<dd>
RefreshURL is an OPTIONAL XML attribute that, if
specified, SHOULD be set to the URL where an updated
assertion can be requested as per <a class='info' href='#refresh'>Section 8<span> (</span><span class='info'>Refreshing an Assertion</span><span>)</span></a>.
</dd>
</dl></blockquote><p>
</p>
<a name="anchor14"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1.1"></a><h3>6.1.1.
Element saml:Assertion</h3>
<p>
</p>
<blockquote class="text"><dl>
<dt>Attribute: ID</dt>
<dd>
The value for the ID XML attribute SHOULD be allocated
randomly such that the value meets the randomness
requirements specified in section 1.3.4 of <a class='info' href='#OASIS.saml-core-2.0-os'>[OASIS.saml‑core‑2.0‑os]<span> (</span><span class='info'>Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.</span><span>)</span></a>.
</dd>
<dt>Attribute: IssueInstant</dt>
<dd>
The value for the IssueInstant XML attribute SHOULD be
set at the time the SAML assertion is created (and
cached for subsequent retrieval).
</dd>
</dl></blockquote><p>
</p>
<a name="anchor15"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1.1.1"></a><h3>6.1.1.1.
Element saml:Issuer</h3>
<p>
If the signature contains a ds:X509Certificate, the
value for the Issuer XML element SHOULD be a value that
matches either the Subject or the Subject Alternative
Name fields <a class='info' href='#RFC3280'>[RFC3280]<span> (</span><span class='info'>Housley, R., Polk, W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” April 2002.</span><span>)</span></a> in the certificate.
The certificate element is located on this path within
the SAML assertion:
</p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<saml:Assertion
<ds:Signature
<ds:KeyInfo
<ds:X509Data
<ds:X509Certificate
</pre></div><p>
In this case the Issuer element is in the format of the
X.501 type Name.
</p>
<p>
Assertions with signatures that do not contain an
X509Certificate may use an issuer identifier that
matches the ds:KeyName element (see <a class='info' href='#W3C.REC-xmldsig-core-20020212'>[W3C.REC‑xmldsig‑core‑20020212]<span> (</span><span class='info'>Solo, D., Eastlake, D., and J. Reagle, “XML-Signature Syntax and Processing,” February 2002.</span><span>)</span></a>).
</p>
<a name="anchor16"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1.1.2"></a><h3>6.1.1.2.
Element saml:Subject</h3>
<p>
The <saml:Assertion> element MUST contain a
<saml:Subject> element.
</p>
<p>
The <saml:Subject> element MUST contain a
<saml:NameID> element.
</p>
<p>
The value of the <saml:NameID> element is a
subject identifier, either a Claimed Identifier or IdP
Identifier in OpenID parlance.
</p>
<a name="anchor17"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1.1.3"></a><h3>6.1.1.3.
Element saml:Conditions</h3>
<p>
The following XML attributes of the <saml:Conditions>
element MAY be set as follows:
</p>
<blockquote class="text"><dl>
<dt>Attribute: NotBefore</dt>
<dd>
The value of the NotBefore XML attribute must be set
to a time instant the same as the value for the
IssueInstant XML attribute discussed above, or to a
later time.
</dd>
<dt>Attribute: NotOnOrAfter</dt>
<dd>
The value of the NotOnOrAfter XML attribute MUST be
set to a time instant later than the value for
NotBefore.
</dd>
</dl></blockquote><p>
</p>
<a name="anchor18"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6.1.1.4"></a><h3>6.1.1.4.
Element saml:AttributeStatement</h3>
<p>
The SAML assertion MUST contain a single
<saml:AttributeStatement> element. The
<saml:AttributeStatement> element MUST contain one
or more attribute-value pair, encoded according to the
OpenID attribute schema extension <a class='info' href='#saml-attribute'>Section 5<span> (</span><span class='info'>OpenID SAML Attribute Profile</span><span>)</span></a>. It is RECOMMENDED that the
number of <saml:Attribute> elements within the
<saml:AttributeStatement> be limited to one.
</p>
<a name="assertion-schema"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.
OpenID Assertion Schema</h3>
<p>
</p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<?xml version="1.0" encoding="UTF-8"?>
<!-- XML Schema for OpenIDAssertion -->
<schema
targetNamespace="http://openid.net/xmlns/2.0"
xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:openid="http://openid.net/xmlns/2.0"
elementFormDefault="unqualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
version="1.0">
<import
namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="http://docs.oasis-open.org/security/
saml/v2.0/saml-schema-assertion-2.0.xsd"/>
<element name="Assertion" type="openid:AssertionType"/>
<complexType name="AssertionType">
<sequence>
<element ref="saml:Assertion" minOccurs="0" maxOccurs="1"/>
</sequence>
<attribute name="RefreshURL" type="anyURI" use="optional"/>
</complexType>
</schema>
</pre></div><p>
</p>
<a name="refresh"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.8"></a><h3>8.
Refreshing an Assertion</h3>
<p>
The mechanism for refreshing an assertion based on the
RefreshURL attribute of the openid:AssertionType element is
not presently defined. [TBD: define refresh protocol]
</p>
<p>
The RefreshURL attribute may be supplied by an asserting
party, but SHOULD NOT be supplied to relying parties in
general when it is retrieved from an identity provider. This
is in keeping with the rule of minimal disclosure.
</p>
<a name="example-assertion"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.9"></a><h3>9.
Example Signed SAML Assertion</h3>
<p>
Below is an example of a signed SAML assertion:
</p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<openid:Assertion
xmlns:openid="http://openid.net/xmlns/2.0"
RefreshURL="http://example-verified-email.com/renew">
<Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
example-verified-email.com
</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
<ds:Transforms>
<ds:Transform
Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces
PrefixList="#default saml ds xs xsi"
xmlns=
"http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
Kclet6XcaOgOWXM4gty6/UNdviI=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
hq4zk+ZknjggCQgZm7ea8fI7...Hr7wHxvCCRwubnmIfZ6RqVL+wNmeWI4=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
MRIwEAYDVQQIEwlXaXNjb ..... dnP6Hr7wHxvCCRwubnmIfZ6QZAv2FU78pLX
8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdiowMNTrEG8cCx3w/w==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<Subject>
<NameID
Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:entity">
http://www.home.com/beth
</NameID>
</Subject>
<Conditions NotBefore="2003-04-17T00:46:02Z">
</Conditions>
<AttributeStatement>
<Attribute
NameFormat=
"urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri"
Name="http://openid.net/schema/contact/web/blog">
<AttributeValue>http://bethexample.blogspot.com</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</openid:Assertion>
</pre></div><p>
</p>
<a name="anchor19"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.10"></a><h3>10.
Security Considerations</h3>
<p>
[NOTE: TBD]
</p>
<a name="anchor20"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.11"></a><h3>11.
Acknowledgements</h3>
<p>
The author, John Merrels, and other contributors to the
document 'draft-merrels-dix-assertion'. Portions of that
document were re-used for this one.
</p>
<a name="rfc.references"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.12"></a><h3>12.
References</h3>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>12.1. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="OASIS.saml-conformance-2.0-os">[OASIS.saml-conformance-2.0-os]</a></td>
<td class="author-text"><a href="mailto:pmishra@principalidentity.com">Mishra, P.</a>, <a href="mailto:rphilpott@rsasecurity.com">Philpott, R.</a>, and <a href="mailto:eve.maler@sun.com">E. Maler</a>, “<a href="http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf">Conformance Requirements for the Security Assertion Markup Language
(SAML) V2.0</a>,” OASIS Standard saml-conformance-2.0-os, March 2005.</td></tr>
<tr><td class="author-text" valign="top"><a name="OASIS.saml-core-2.0-os">[OASIS.saml-core-2.0-os]</a></td>
<td class="author-text"><a href="mailto:cantor.2@osu.edu">Cantor, S.</a>, <a href="mailto:John.Kemp@nokia.com">Kemp, J.</a>, <a href="mailto:rphilpott@rsasecurity.com">Philpott, R.</a>, and <a href="mailto:eve.maler@sun.com">E. Maler</a>, “<a href="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf">Assertions and Protocol for the OASIS Security Assertion Markup Language
(SAML) V2.0</a>,” OASIS Standard saml-core-2.0-os, March 2005.</td></tr>
<tr><td class="author-text" valign="top"><a name="OASIS.saml-profiles-2.0-os">[OASIS.saml-profiles-2.0-os]</a></td>
<td class="author-text"><a href="mailto:">Hughes, J.</a>, <a href="mailto:cantor.2@osu.edu">Cantor, S.</a>, <a href="mailto:Jeff.Hodges@neustar.biz">Hodges, J.</a>, <a href="mailto:Frederick.Hirsch@nokia.com">Hirsch, F.</a>, <a href="mailto:pmishra@principalidentity.com">Mishra, P.</a>, <a href="mailto:rphilpott@rsasecurity.com">Philpott, R.</a>, and <a href="mailto:eve.maler@sun.com">E. Maler</a>, “<a href="http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf">Profiles for the OASIS Security Assertion Markup Language
(SAML) V2.0</a>,” OASIS Standard OASIS.saml-profiles-2.0-os, March 2005.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.attribute-exchange-1.0">[OpenID.attribute-exchange-1.0]</a></td>
<td class="author-text"><a href="mailto:dick@sxip.com">Hardt, D.</a>, “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006 (<a href="http://www.openid.net/specs/openid-attribute-exchange-1_0-03.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-attribute-exchange-1_0-03.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.authentication-2.0">[OpenID.authentication-2.0]</a></td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">Recordon, D.</a>, <a href="mailto:josh@janrain.com">Hoyt, J.</a>, <a href="mailto:brad@danga.com">Fitzpatrick, B.</a>, and <a href="mailto:dick@sxip.com">D. Hardt</a>, “OpenID Authentication 2.0 - Draft 10,” August 2006 (<a href="http://www.openid.net/specs/openid-authentication-2_0-10.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-2_0-10.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, “<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC3280">[RFC3280]</a></td>
<td class="author-text">Housley, R., Polk, W., Ford, W., and D. Solo, “<a href="ftp://ftp.isi.edu/in-notes/rfc3280.txt">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>,” RFC 3280, April 2002.</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC3548">[RFC3548]</a></td>
<td class="author-text">Josefsson, S., “<a href="ftp://ftp.isi.edu/in-notes/rfc3548.txt">The Base16, Base32, and Base64 Data Encodings</a>,” RFC 3548, July 2003.</td></tr>
<tr><td class="author-text" valign="top"><a name="W3C.REC-xmldsig-core-20020212">[W3C.REC-xmldsig-core-20020212]</a></td>
<td class="author-text">Solo, D., Eastlake, D., and J. Reagle, “<a href="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212">XML-Signature Syntax and Processing</a>,” W3C Recommendation http://www.w3.org/TR/2002/REC-xmldsig-core-20020212, February 2002.</td></tr>
</table>
<a name="rfc.references2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>12.2. Informative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="OASIS.saml-glossary-2.0-os">[OASIS.saml-glossary-2.0-os]</a></td>
<td class="author-text"><a href="mailto:Jeff.Hodges@neustar.biz">Hodges, J.</a>, <a href="mailto:rphilpott@rsasecurity.com">Philpott, R.</a>, and <a href="mailto:eve.maler@sun.com">E. Maler</a>, “<a href="http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf">Glossary for the Security Assertion Markup Language
(SAML) V2.0</a>,” OASIS Standard saml-glossary-2.0-os, March 2005.</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.attribute-types-1.0">[OpenID.attribute-types-1.0]</a></td>
<td class="author-text"><a href="mailto:dick@sxip.com">Hardt, D.</a>, “OpenID Attribute Types - Draft 02,” November 2006 (<a href="http://www.openid.net/specs/openid-attribute-types-1_0-02.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-attribute-types-1_0-02.html">HTML</a>).</td></tr>
</table>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Author's Address</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Dick Hardt</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Sxip Identity</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">798 Beatty Street</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Vancouver, BC V6B 2M1</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">CA</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:dick@sxip.com">dick@sxip.com</a></td></tr>
<tr><td class="author" align="right">URI: </td>
<td class="author-text"><a href="http://sxip.com/">http://sxip.com/</a></td></tr>
</table>
</body></html>