IdentityMeme.org

So Pat Patterson has pulled a nice rabbit outta his hat and concocted a SAMLv2 Relying Party Implementation in PHP! I’m going to have to play with this one…

Switching on the Lightbulb

Q&A on the OpenSSO SAML 2.0 PHP work

Scott and I have updated the SAML-LSSO (Lightweight Web Browser Single-SignOn) profile and SimpleSign binding specs. Together they specify a lightweight SAML profile whose “security knob” can be dialed from completely “Off” to “On” (to various degrees) at implementation and/or deployment time. And if security is “On”, then the SimpleSign technique can be used, and/or the XMLdsig-based technique. The difference between the SimpleSign binding and the original SAMLv2 HTTP POST binding is rather small, and SimpleSign doesn’t obviate any aspects of the other binding, thus present implementations can be easily enhanced to support both bindings with minimal fuss.

Thus we feel one can easily, with SAML, provide the spectrum of simple-no-security-to-simple-but-with-security “Single Sign-On” functionality that various parties are currently running around attempting to reinvent.

The specs are here…

SAMLv2 Lightweight Web Browser SSO Profile

SAMLv2: HTTP POST “SimpleSign” Binding

JeffH sez check ‘em out.

I did a cursory analysis of the number of current (as of 4-Oct-2006) IETF Internet-Drafts (I-Ds) that reference or employ SAML, and to what extent they do so. The executive summary of my findings is (click here to skip intro):

SUBSTANTIVE SAML employment:     8   I-Ds
Some SAML Incorporation:        10    ''
SAML referenced 'in passing':   10    ''

Seems to me this is a non-trivial number and that SAML is acquiring some decent traction there.

My overall analysis write-up is here, it lists the I-Ds my simple grepping turned up, as well as the bits of text where the term SAML occurs.

Scott Cantor and I have updated the SAML HTTP POST-SimpleSign binding, which I’d posted about earlier in September.

The revised spec is here: draft-hodges-saml-binding-simplesign-02.pdf.

We enhanced section “1.2.4 Message Encoding and Conveyance” to allow for conveyance of a signed (via XMLdsig) SAML message via this binding. The primary implication of this change is that the only material difference between this binding and the “stock” HTTP POST binding in saml-bindings-2.0-os is inclusion of HTTP POST-SimpleSign’s particular sign-the-BLOB signature. We hope that this leads to greater code-reuse and ease for implementors.

We’re thinking we’re getting pretty close to being “done” with this particular spec.

Also, I need to update the SAMLv2 Lightweight Web Browser SSO Profile Internet-Draft (draft-hodges-saml-lsso-00.txt) to reference this new rev of the HTTP POST-SimpleSign binding.

Scott Cantor and I have revised the SAML HTTP POST-NoXMLdsig binding, which I’d posted about a while back.

We’ve renamed the binding to: “HTTP POST-SimpleSign”

The revised spec is here: draft-hodges-saml-binding-simplesign-01.pdf.

Note that the new “SimpleSign” spec obsoletes the old “NoXMLdsig” one.

There’s also various other relatively minor (some are subtle-but-important) changes and fixes, such as..

• Clarified that conveyed assertions may be signed.
• Added optional conveyance of KeyInfo from XMLdsig in order to supply a hint wrt keying material to the recipient.
• Clarified composability with other SAML HTTP-based bindings.
• Revamped illustration.
• etc.

We’re thinking we’re getting pretty close to being “done” with this particular spec.

FYI, an example SAML profile utilizing this binding is..

SAMLv2 Lightweight Web Browser SSO Profile
draft-hodges-saml-lsso-00.txt

Here’s a doc I recently constructed as an aid for other protocol designers and system/protocol implementors to use in figuring out how to go about “learning SAML”…

http://identitymeme.org/doc/draft-hodges-learning-saml-00.html

Note that this item is also listed over there in the sidebar on the right under the heading “Pages” (on my main blog page).

The thoughtful Roger Sullivan makes his blogosphere appearance..

From the desk of Roger Sullivan…

Welcome Roger!

See..

SAML IPR statements have been revised to explicit “defensive suspension”

..though don’t forget to also see this following message noting that AOL lead this charge by example, which those of us working behind the scenes to effect this overall posture liberally pointed to..

Re: SAML IPR statements have been revised toexplicit “defensive suspension”

The SSTC/SAML IPR Statements Page is here. Thanks again to all the folks who worked to make this happen!

My previous post on these developments is here.

From various discussions held with various folks, e.g. on the IDWorkshop mailing list (aka “Identity Gang“), it has become apparent that the major sticking point w.r.t. SAMLv2 adoption in some quarters, e.g. in the “scripting” world (e.g. PHP/Perl/Python/Ruby), is the present SAMLv2 bindings‘ mandated reliance on XML Digital Signature (aka “XMLdsig”, http://www.w3.org/TR/xmldsig-core/). Interoperable XMLdsig libraries are hard to come by, perhaps due to the XMLdsig spec’s complexity and reliance on “XML canonicalization” (aka “c14n”, http://www.w3.org/TR/xml-c14n) which is inherently complex on it’s own.

So Scott Cantor and I have hacked up this draft alternative SAMLv2 HTTP POST “NoXMLdsig” binding..

SAMLv2 HTTP POST “NoXMLdsig” binding

Now the next step will be to craft a SAMLv2 Profile that takes advantage of it.

It turns out the Google has implemented SAML-based single sign-on in their Google Search Appliance gizmo.