Normally, before the selector requests a security token from the IdP's tokenservice endpoint it asks the metadata endpoint of the IdP and retrieves that metadata which tells it whether transport-security or symmetric-binding and other things are to be used in the token request.
I suggest that we define a simple-profile that basically skips the metadata retrievel step and replace it with default data.
The IdP that wants the simple-profile to be used just issues Information Cards that do not contain the metadata endpoint information.
Instead of:
<ic:TokenService>
<wsa:EndpointReference>
<wsa:Address>https://contoso.com/sts/pwd</wsa:Address>
<wsa:Metadata>
<wsx:Metadata>
<wsx:MetadataSection
Dialect="https://schemas.xmlsoap.org/ws/2004/09/mex">
<wsx:MetadataReference>
<wsa:Address>https://contoso.com/sts/pwd/mex</wsa:Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</wsx:Metadata>
</wsa:Metadata>
</wsa:EndpointReference>
<ic:UserCredential>
<ic:UsernamePasswordCredential>
<ic:Username>Zoe</ic:Username>
</ic:UsernamePasswordCredential>
</ic:UserCredential>
</ic:TokenService>
</ic:TokenServiceList>
the Information Card would contain just:
<ic:TokenService>
<wsa:EndpointReference>
<wsa:Address>https://contoso.com/sts/pwd</wsa:Address>
</wsa:EndpointReference>
<ic:UserCredential>
<ic:UsernamePasswordCredential>
<ic:Username>Zoe</ic:Username>
</ic:UsernamePasswordCredential>
</ic:UserCredential>
</ic:TokenService>
</ic:TokenServiceList>
What are the default values of the metadata that the selector assumes?:
- Transport Security must be used; the IdP tokenservice uses SSL/TLS.
- We might assume that the Information Card signing certificate is the same as the security tokenservice certificate; IFF the issuer does not use WS-AddressingAndIdentity to specify the STS certificate...
Maybe there are other assumptions that I just can not remember now? What are the security implications?
Please help to make the Identity Metasystem as simple as possible (but not simpler).
No comments:
Post a Comment