Figure 14: SAML AttributeStatement
Figure 15: SAML Subject
The integrity of identity tokens handled by various parties can be assured by XML Digital signature [XMLSig], which is applied to an Assertion artifact containing one or
more Statements. If the identity provider is known to the service provider then the integrity of the identity information contained in an identity token can be verified.
9.2 License Reference Tokens in OWS4
OWS-4 GeoDRM use and communicate license tokens in the form of a reference to the real license therefore named “license reference token”. That way a license reference
token as defined here is only a pointer, that is not valid without resolving the complete license token.
The following information is conveyed by the License Reference Token: • URL for License Manager: A URL that points to where the license is stored
license manager • ID: A string that uniquely identifies the a license knowing the license manager
9.2.1 License Reference Tokens encoding
A License Reference Token is encoded as a SAML Assertion containing an Attribute Statement which in turn contains the following two attributes both attributes are in the
namespace
http:www.opengeospatial.orgschemasows4
: Copyright © 2007 Open Geospatial Consortium
49
•
urn:opengeospatial:ows4:geodrm:licenseManagerURL
•
urn:opengeospatial:ows4:geodrm:licenseID Assertion
xmlns =
urn:oasis:names:tc:SAML:1.0:assertion xmlns:saml
= urn:oasis:names:tc:SAML:1.0:assertion
xmlns:samlp =
urn:oasis:names:tc:SAML:1.0:protocol xmlns:xsd
= http:www.w3.org2001XMLSchema
xmlns:xsi =
http:www.w3.org2001XMLSchema-instance AssertionID
= _6e6a4ef27ee135a97b4f0843a1317c7d
IssueInstant =
2007-01-15T17:29:14.968Z Issuer
= http:iisdemo.informatik.unibw-
muenchen.deows4DummyLicenseManager MajorVersion
= 1
MinorVersion =
1 Conditions
NotBefore =
2007-01-15T17:29:14.968Z NotOnOrAfter
= 2007-02-07T21:02:34.968Z
Conditions AttributeStatement
Subject SubjectConfirmation
ConfirmationMethod urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
ConfirmationMethod SubjectConfirmation
Subject Attribute
AttributeName =
urn:opengeospatial:ows4:geodrm:licenseManagerURL AttributeNamespace
= http:www.opengeospatial.orgschmasows4
AttributeValue http:iisdemo.informatik.unibw-muenchen.deows4DummyLicenseManager
AttributeValue Attribute
Attribute AttributeName
= urn:opengeospatial:ows4:geodrm:licenseID
AttributeNamespace =
http:www.opengeospatial.orgschmasows4 AttributeValue
ID_LICENSE_3 AttributeValue
Attribute AttributeStatement
Assertion
As seen in the example, because it is a SAML assertion, the following information is also contained by the token:
• Issuing instance • Validity period see conditions
o Not Before o Not After expiration
Remark
Copyright © 2007 Open Geospatial Consortium 50
All implementations in OWS4 use SAML 1.1 and not 2.0. There are minor differences between 1.1 and 2.0. The group chose 1.1 because it is better supported in software
libraries packages. One of the used libraries is OpenSAML from Internet2:
http:www.opensaml.org
9.2.2 Acquiring a License Reference Token
