Archive for the ‘SAML’ Category

SAML: deployments of, and references to — from OASIS Adoption Forum 2006

Wednesday, December 13th, 2006

The procedings of the 2006 OASIS Adoption Forum (28,29-Nov-2006, London) are here..

OASIS Adoption Forum

SAML figures prominently in many of the talks. Below, I’ve sorted the talks by whether they are discussing actual SAML implementations and/or deployments, planning to use SAML, or the talk references SAML in context.

The presos, unto themselves, illustrate a large and growing SAML deployment community, apparently amounting to millions of identities in aggregate, in the near future if not now. Of course, they are just illustrating a tip of the iceberg, e.g. the extensive Shib-based community, enterprise deployments, etc are not necessarily reflected here.

Deployments/Implementations Employing SAML…

Keynote Presentation – The NHS, Standards, Security & Identity Management
Mark D. Ferrar

Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution
Maarten Koopmans

The Identity and Authorization Management in e-Government System: Requirements and Implemention Methods
Chuan Liu

The Role of SAML for Identity Management in the Danish Public Sector
Søren Peter Nielsen

GUIDE Project for a Consistent Approach to Identity Management Across the EU and Its Use of SAML and Liberty Alliance
Keiron Salt

XML, Web Services and SOA: Data Protection and Privacy Opportunities and Challenges in the Government Sector
Rich Salz

Deployments planning to employ SAML…

Case Study: The British Columbia Attorney General implementation of Web Services Security
Toufic Boubez

References to/of SAML…

The Need of SDO Collobaration as an Enabler of SOA in NGN
Abbie Barbir

Towards Trusted Web Services
Kevin Blackman (see slide 28)

Practical Cases of One e-Identity for Different Web-Solutions
Zivko Lazarov

ITU-T Presentation
Georges Sebek

Of course these reference SAML…

XML Security Standards: Overview for the Non-Specialist
Hal Lockhart

Extensible Access Control Markup Language (XACML) Update
Hal Lockhart

[at time of writing this post, the content of the above two .ppt files was reversed relative to their labeling on the web page (and above). i reported the bug, it may be resolved at some point. I’ll update this page if necessary once the proceedings page is fixed.]

HTML version of SAMLv2 Glossary is online..

Tuesday, November 7th, 2006

SAMLv2 Glossary HTML version

..Thanks to some intrepid html hacking by John Kemp to add relative URI anchors to each of the defined terms. Hopefully, having this glossary online will help clarify various identity-related discussions on-going in various ad-hoc fora.

Of course, since the SAMLv2 spec set was produced using Open Office, it was rather simple to create a reasonable HTML version from the spec source.

A SAMLv2 Relying Party PHP Implementation

Wednesday, November 1st, 2006

So Pat Patterson has pulled a nice rabbit outta his hat and concocted a SAMLv2 Relying Party Implementation in PHP! I’m going to have to play with this one…

Switching on the Lightbulb

Q&A on the OpenSSO SAML 2.0 PHP work

Latest revisions of SAML-LSSO and SimpleSign specs

Thursday, October 26th, 2006

Scott and I have updated the SAML-LSSO (Lightweight Web Browser Single-SignOn) profile and SimpleSign binding specs. Together they specify a lightweight SAML profile whose “security knob” can be dialed from completely “Off” to “On” (to various degrees) at implementation and/or deployment time. And if security is “On”, then the SimpleSign technique can be used, and/or the XMLdsig-based technique. The difference between the SimpleSign binding and the original SAMLv2 HTTP POST binding is rather small, and SimpleSign doesn’t obviate any aspects of the other binding, thus present implementations can be easily enhanced to support both bindings with minimal fuss.

Thus we feel one can easily, with SAML, provide the spectrum of simple-no-security-to-simple-but-with-security “Single Sign-On” functionality that various parties are currently running around attempting to reinvent.

The specs are here…

SAMLv2 Lightweight Web Browser SSO Profile

SAMLv2: HTTP POST “SimpleSign” Binding

JeffH sez check ’em out.

A Passel of IETF Internet-Drafts Reference SAML

Wednesday, October 11th, 2006

I did a cursory analysis of the number of current (as of 4-Oct-2006) IETF Internet-Drafts (I-Ds) that reference or employ SAML, and to what extent they do so. The executive summary of my findings is (click here to skip intro):

SUBSTANTIVE SAML employment:     8   I-Ds
Some SAML Incorporation:        10    ''
SAML referenced 'in passing':   10    ''

Seems to me this is a non-trivial number and that SAML is acquiring some decent traction there.

My overall analysis write-up is here, it lists the I-Ds my simple grepping turned up, as well as the bits of text where the term SAML occurs.

Rev -02 of HTTP Post-SimpleSign Binding

Wednesday, October 4th, 2006

Scott Cantor and I have updated the SAML HTTP POST-SimpleSign binding, which I’d posted about earlier in September.

The revised spec is here: draft-hodges-saml-binding-simplesign-02.pdf.

We enhanced section “1.2.4 Message Encoding and Conveyance” to allow for conveyance of a signed (via XMLdsig) SAML message via this binding. The primary implication of this change is that the only material difference between this binding and the “stock” HTTP POST binding in saml-bindings-2.0-os is inclusion of HTTP POST-SimpleSign’s particular sign-the-BLOB signature. We hope that this leads to greater code-reuse and ease for implementors.

We’re thinking we’re getting pretty close to being “done” with this particular spec.

Also, I need to update the SAMLv2 Lightweight Web Browser SSO Profile Internet-Draft (draft-hodges-saml-lsso-00.txt) to reference this new rev of the HTTP POST-SimpleSign binding.

SAMLv2: HTTP Post-SimpleSign Binding

Friday, September 8th, 2006

Scott Cantor and I have revised the SAML HTTP POST-NoXMLdsig binding, which I’d posted about a while back.

We’ve renamed the binding to: “HTTP POST-SimpleSign”

The revised spec is here: draft-hodges-saml-binding-simplesign-01.pdf.

Note that the new “SimpleSign” spec obsoletes the old “NoXMLdsig” one.

There’s also various other relatively minor (some are subtle-but-important) changes and fixes, such as..

  • Clarified that conveyed assertions may be signed.
  • Added optional conveyance of KeyInfo from XMLdsig in order to supply a hint wrt keying material to the recipient.
  • Clarified composability with other SAML HTTP-based bindings.
  • Revamped illustration.
  • etc.

We’re thinking we’re getting pretty close to being “done” with this particular spec.

FYI, an example SAML profile utilizing this binding is..

SAMLv2 Lightweight Web Browser SSO Profile

How to Study and Learn SAML

Friday, September 8th, 2006

Here’s a doc I recently constructed as an aid for other protocol designers and system/protocol implementors to use in figuring out how to go about “learning SAML”…

Note that this item is also listed over there in the sidebar on the right under the heading “Pages” (on my main blog page).

Another “identity topic” blogger…

Wednesday, August 9th, 2006

The thoughtful Roger Sullivan makes his blogosphere appearance..

From the desk of Roger Sullivan…

Welcome Roger!

All Declared SAML IPR Statements are now “defensive suspension”

Wednesday, June 28th, 2006


SAML IPR statements have been revised to explicit “defensive suspension”

..though don’t forget to also see this following message noting that AOL lead this charge by example, which those of us working behind the scenes to effect this overall posture liberally pointed to..

Re: SAML IPR statements have been revised toexplicit “defensive suspension”

The SSTC/SAML IPR Statements Page is here. Thanks again to all the folks who worked to make this happen!

My previous post on these developments is here.