Scott and I have updated the SAML-LSSO (Lightweight Web Browser Single-SignOn) profile and SimpleSign binding specs. Together they specify a lightweight SAML profile whose “security knob” can be dialed from completely “Off” to “On” (to various degrees) at implementation and/or deployment time. And if security is “On”, then the SimpleSign technique can be used, and/or […]
I did a cursory analysis of the number of current (as of 4-Oct-2006) IETF Internet-Drafts (I-Ds) that reference or employ SAML, and to what extent they do so. The executive summary of my findings is (click here to skip intro):
SUBSTANTIVE SAML employment: 8 I-Ds
Some SAML Incorporation: […]
Scott Cantor and I have updated the SAML HTTP POST-SimpleSign binding, which I’d posted about earlier in September.
The revised spec is here: draft-hodges-saml-binding-simplesign-02.pdf.
We enhanced section “1.2.4 Message Encoding and Conveyance” to allow for conveyance of a signed (via XMLdsig) SAML message via this binding. The primary implication of this change is that […]
Scott Cantor and I have revised the SAML HTTP POST-NoXMLdsig binding, which I’d posted about a while back.
We’ve renamed the binding to: “HTTP POST-SimpleSign”
The revised spec is here: draft-hodges-saml-binding-simplesign-01.pdf.
Note that the new “SimpleSign” spec obsoletes the old “NoXMLdsig” one.
There’s also various other relatively minor (some are subtle-but-important) changes and fixes, […]
Here’s a doc I recently constructed as an aid for other protocol designers and system/protocol implementors to use in figuring out how to go about “learning SAML”…
http://identitymeme.org/doc/draft-hodges-learning-saml-00.html
Note that this item is also listed over there in the sidebar on the right under the heading “Pages” (on my main blog page).
Technorati Tags: saml
The thoughtful Roger Sullivan makes his blogosphere appearance..
From the desk of Roger Sullivan…
Welcome Roger!
No Tags
See..
SAML IPR statements have been revised to explicit “defensive suspension”
..though don’t forget to also see this following message noting that AOL lead this charge by example, which those of us working behind the scenes to effect this overall posture liberally pointed to..
Re: SAML IPR statements have been revised toexplicit “defensive suspension”
The SSTC/SAML IPR Statements […]
From various discussions held with various folks, e.g. on the IDWorkshop mailing list (aka “Identity Gang“), it has become apparent that the major sticking point w.r.t. SAMLv2 adoption in some quarters, e.g. in the “scripting” world (e.g. PHP/Perl/Python/Ruby), is the present SAMLv2 bindings‘ mandated reliance on XML Digital Signature (aka “XMLdsig”, http://www.w3.org/TR/xmldsig-core/). Interoperable XMLdsig libraries […]
It turns out the Google has implemented SAML-based single sign-on in their Google Search Appliance gizmo.
Technorati Tags: Open Standards, saml
So, unfortunately for a while now, a few companies have asserted that they hold IP (Intellectual Property, typically in the form of issued patents) that applies to various aspects of SAML. RSA Security is one of these companies, and it even went so far as to “require” those implementing SAML to fill-out a license application […]