[Wg-iop] Reminder: IOP WG Teleconference July 23 - Vote on SAML 2.0 Test Plan v3.3

[Joni Brennan]

Hello IOP WG,

The awaited Kantara Initiative SAML 2.0 Test Plan 3.3 has been posted [1].  We will hold a vote on this document to release as a Report on tomorrow's teleconference.  If you are a voting member [2] of the IOP WG please be sure to attend.

[1] http://kantarainitiative.org/confluence/download/attachments/41649589/Kantara_Initiative_SAML_Test+Plan_Draft_Report_v3.3.doc
[2] http://kantarainitiative.org/confluence/display/iopwg/Participant+Roster

Call Details:

July 23 - 8:00 PDT / 11:00 EDT / 17:00 CEST
Teleconference Info:
*         Skype: +9900827042954214
*         North American Dial-In: +1-201-793-9022
*         Room Code (Pass Code): 2954214
*         International: http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info

Thanks,

Joni

--
Joni Brennan
IEEE-ISTO
Managing Director, Kantara Initiative
voice:+1 732-226-4223
email: joni @ ieee-isto.org
gtalk: jonibrennan
skype: upon request

Join the conversation on the community@ list - http://kantarainitiative.org/mailman/listinfo/community

[John Bradley]

I have a concern that 3.2.17 Test Case Q is seriously flawed.

It only tests support for two specific context URN.  The current use of this by governments is to express conformance to a specific certification, like the ICAM SAML 2.0 LoA 2 profile.

The relevant section of the SAML spec is 3.3.2.2.1.  

The RequestedAuthnContext is a ordered list AuthnContextClassRef each containing a URI.  These are compared in order to determine the best match.

As a real example I may send

<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1

        </saml:AuthnContextClassRef>

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://incommonfederation.org/assurance/bronze
        </saml:AuthnContextClassRef>

</samlp:RequestedAuthnContext>

I expect to get back an assertion that contains one of the two ClassRefs or no AuthnContext.

Working on the catalyst interop it is clear that one or more products that have passed eGov 1.5 can't do this.  

Some can only support the test URN.

I would like to see Q expanded to include one or more real URL and sending an ordered list with exact.

This is basic functionality from the core spec that is REQUIRED to meet the ICAM profile.

In testing for catalyst it is also apparent that some venders are only supporting importing single EntityDescriptors from meta-data.

I am quite sure that the requirement is to import EntitiesDescriptor files with multiple EntityDescriptors.

I think Scott may have not been explicit enough, because it is obvious to us that it is a requirement, but perhaps not to others.

I have also discovered some issues where files containing multiple IDPSSODescriptors for the same Entity are not supported.

IOP expects the basic meta-data spec to be supported so I don't think Scott included the super basic tests for meta-data.

I won't start on the security testing:)

John B.

_______________________________________________
WG-IOP mailing list
WG-...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-iop

[Joni Brennan]

John,

Thank you for raising this issue.  Is it possible that you have the bandwidth to provide a redline with suggested corrections such that we might still be on track for tomorrow?  I realize this is very short timing but I'm hopeful that your expertise and input can guide us to the suggested correction speedily! 

- Joni

--
Joni Brennan
IEEE-ISTO
Kantara Initiative
Managing Director