Delegation Token Issuing Translucent
50
Copyright © 2009 Open Geospatial Consortium, Inc.Copyright © 2009 Open Geospatial Consortium, Inc.
urn:ows6:gpw:DelegationToken:Simple
which is requested by the delegatee and stated in the preconditions. The extended elements are:
Delegateable line 10: Boolean value indicating whether or not the delegatee is allowed to delegate the token further. This could lead to delegation chains as depicted
in figure 23.
Figure 23. Delegation Chain
Delegator Service A could delegate the authority for a specific resource on Service C to Service B
i
which can delegate it further Service B
i+1
etc. In case this element is set to true, further delegators have to put the received delegation token as the delegator
node value analogous to section II. B. For instance, if Service B
i
delegates it authority which was delegated to Service B
i
by Service B
i-1
to Service B
i+1
, the SDT issued by B
i-1
should go in there to allow Service C to determine that Service B
i+1
is acting on behalf of B
i
acting on behalf of B
i-1
.
Copyright © 2009 Open Geospatial Consortium, Inc.Copyright © 2009 Open Geospatial Consortium, Inc.
51 Delegator line 11: Contains an identity token for the delegator, in this case a SAML
Assertion, which could be fetched previously from a STS. This element is optional, if not provided, the delegation token issuing STS should embed the identity information
directly based on other authentication means of the requestor. Other identity tokens could also be possible, but SAML was chosen, because it is widely accepted and
supported.
Delegatee line 77: Contains an identity token for the delegatee, in this case a SAML Assertion, which was extracted from the preconditions.
Transaction line 144: The transaction has four parts: TransactionID: UUID indicating the whole transaction with the delegatee. The main
purpose is to prevent replay attacks. If a TransactionID has been previously used it should not be accepted by the target anymore as long as not stated differently in the
rights section.
Target: Contains the target URL which was extracted from the preconditions. Resource: Contains the actual resource which was extracted from the preconditions.
ResourceID: Contains ResourceID urn which was extracted from the preconditions.
Rights line 150: The simple delegation token adds the Rights section to the basic delegation token. In case of the simple delegation token, URNs are defined indicating
certain rights. Up to now only:
urn:ogc:def:delegation:rights:absolute:one-time-use is defined which grants full access but the TransactionIDs have to be accepted only
once. This concept is also held flexible in order to allow different rights encodings, such as GeoXACML.
Simple Delegation Token SDT Response
The STS responds with a SDT. A sample token is shown in listing 17. The STS basically wraps all input data in a single token and signs the token. The whole token is delivered
back.
52
Copyright © 2009 Open Geospatial Consortium, Inc.Copyright © 2009 Open Geospatial Consortium, Inc.
The delegatee is transformed to the saml:subject element native for SAML assertion. Thereby, the SDT SAML assertion is only valid for the delegatee.
When it comes to revocation of delegated authorities which is not covered in this ER, issuing only references would be the better solution because entities that want to validate
the token have to request it which will only be possible if the token is still valid.
Listing 17. Simple Delegation Token example
Please note that the SDT can include a del:DelegationChain element, which would contain previously issued SDT tokens in that chain. For instance, if Service B
i
delegates it authority which was delegated to Service B
i
by Service B
i-1
to Service B
i+1
, the SDT issued by B
i-1
should go in there to allow Service C to determine that Service B
i+1
is acting on behalf of B
i
acting on behalf of B
i-1
. Furthermore, the Target, Resource and ResourceID elements are optional since they
could be encoded directly in the rights section.