Archive for October, 2006

Latest revisions of SAML-LSSO and SimpleSign specs

Thursday, October 26th, 2006

Scott and I have updated the SAML-LSSO (Lightweight Web Browser Single-SignOn) profile and SimpleSign binding specs. Together they specify a lightweight SAML profile whose “security knob” can be dialed from completely “Off” to “On” (to various degrees) at implementation and/or deployment time. And if security is “On”, then the SimpleSign technique can be used, and/or the XMLdsig-based technique. The difference between the SimpleSign binding and the original SAMLv2 HTTP POST binding is rather small, and SimpleSign doesn’t obviate any aspects of the other binding, thus present implementations can be easily enhanced to support both bindings with minimal fuss.

Thus we feel one can easily, with SAML, provide the spectrum of simple-no-security-to-simple-but-with-security “Single Sign-On” functionality that various parties are currently running around attempting to reinvent.

The specs are here…

SAMLv2 Lightweight Web Browser SSO Profile

SAMLv2: HTTP POST “SimpleSign” Binding

JeffH sez check ’em out.

A Passel of IETF Internet-Drafts Reference SAML

Wednesday, October 11th, 2006

I did a cursory analysis of the number of current (as of 4-Oct-2006) IETF Internet-Drafts (I-Ds) that reference or employ SAML, and to what extent they do so. The executive summary of my findings is (click here to skip intro):

SUBSTANTIVE SAML employment:     8   I-Ds
Some SAML Incorporation:        10    ''
SAML referenced 'in passing':   10    ''

Seems to me this is a non-trivial number and that SAML is acquiring some decent traction there.

My overall analysis write-up is here, it lists the I-Ds my simple grepping turned up, as well as the bits of text where the term SAML occurs.

A plug for Gizmo

Thursday, October 5th, 2006

So there’s this bit of software called Gizmo that’s pretty cool, available from It’s a SIP (Session Initiation Protocol) -based “softphone” widget, err.. gizmo, that allows one to make voice calls on the Internet, like VoIP, duh.

Anyway, obvious to anyone who’s paid a lick of attention the past few years, this competes with Skype. Since the Skype folk got a head start in this here land-grab internet property era we’re in, seems many of my colleagues have a skype account, but not many have a Gizmo one. So I’m posting this here to encourage folks to give Gizmo a try. Of course it offers all the features of Skype, and more (much larger concall size is one obvious feature bennie). And it is open-standards-based, as compared to Skype, which is so ridiculously proprietary they even went to enormous lengths to obfuscate their executable code, apparently in order to try stymie reverse-engineering (as I’d written about previously). So anyway, since I favor open-standards-based systems, and work in designing them (eg LDAP, SAML, ID-WSF, and now the SIP-world), I wish more folks would try Gizmo.

The only substantial complaint I’ve heard wrt Gizmo is that it can only register with Gizmo’s own SIP proxy server farms. Well, with the relatively recent version 2.x, this is remedied, and a Gizmo client can register with both the Gizmo proxies, and with any generic (and typically free, in the economic sense) SIP proxy you wish, eg, and, your own open-source Asterisk SIP server at home, or your company’s SIP server.

JeffH sez check it out.

ps: Of course, I’m also very supportive of open source SIP clients — I just haven’t had the time to check them out yet. There are some, though, so take a looksee here, or google for ’em. I’ll have to try some of them out and write about them. There’s also so-called “SIP hardphones” — I just got a SNOM 320 on my desk, and am exploring it. So far it’s pretty cool — although I can’t easily haul it around with me.

Liberty ID-WSF v2.0 is announced

Wednesday, October 4th, 2006

It’s been a long haul, but it’s finally out the door..

Liberty Alliance Releases Final Version of ID-WSF 2.0 Web Services Standards (a comprehensive press release)

The specs themselves are here, and a very useful diagram illustrating the various high-level entity relationships in a deployment is here. If you mouse-over the boxes in the latter diagram, you’ll get a pop-up definition for that box’s role in the abstract deployment architecture, taken from the glossary (plus a link to the glossary). I’m tickled by this because I’m the glossary’s editor, and it seems that glossaries are often overlooked. But in any case, I edited or contributed to many of the specs, so am glad it’s finally out.

So, this was a pretty dry post, like most of mine seem to be. Maybe someday I’ll figure out how to get some humor in here. But in the meantime, there’s folks who manage humor just fine. See Paul Madsen’s post wrt ID-WSFv2.0, for example :)

A whole passel of folks contributed to getting this release done and out. Those of us who wrote chunks of specs got our names on the specs, which is nice, but there’s a non-trivial chunk of that passel who did yeoman‘s work helping this stuff get done, many of whom work for IEEE-ISTO, and I thank them for their contributions.

Rev -02 of HTTP Post-SimpleSign Binding

Wednesday, October 4th, 2006

Scott Cantor and I have updated the SAML HTTP POST-SimpleSign binding, which I’d posted about earlier in September.

The revised spec is here: draft-hodges-saml-binding-simplesign-02.pdf.

We enhanced section “1.2.4 Message Encoding and Conveyance” to allow for conveyance of a signed (via XMLdsig) SAML message via this binding. The primary implication of this change is that the only material difference between this binding and the “stock” HTTP POST binding in saml-bindings-2.0-os is inclusion of HTTP POST-SimpleSign’s particular sign-the-BLOB signature. We hope that this leads to greater code-reuse and ease for implementors.

We’re thinking we’re getting pretty close to being “done” with this particular spec.

Also, I need to update the SAMLv2 Lightweight Web Browser SSO Profile Internet-Draft (draft-hodges-saml-lsso-00.txt) to reference this new rev of the HTTP POST-SimpleSign binding.