FW: SAML and DSML 2.0

[James Tauber <jtauber@bowstreet.com>]

The issue has been raised of liaison between OASIS's security services work
and DSML. I've included below a thread that was started on this topic.

If there is anyone interested in acting as a liason between these two
efforts, given the contribution they can make to each other, please let me
know.

Also, please feel free to add comments to the thread below.

James

-----Original Message-----
From: DeSouza, Edwin [mailto:edesouza@jamcracker.com]
Sent: Thursday, March 29, 2001 3:50 PM
To: Orchard, David; 'Eve L. Maler'; 'James Tauber'
Subject: RE: SAML and DSML 2.0


David, Eve,
Would it be worth it to forward this thread to the SAML list?

James,
Also forward to the DSML list?

That way we can have many other people thinking/contributing too.

Regards,
Edwin.

-----Original Message-----
From: Orchard, David 
Sent: Thursday, March 29, 2001 12:44 PM
To: Eve L. Maler; James Tauber
Cc: DeSouza, Edwin; Orchard, David
Subject: RE: SAML and DSML 2.0


I think there's another aspect or 2.  James, you've mentioned 2
protocol-centric views, but there's also a data model and protocol binding
view as well.  

In addition to your 2 aspects, I offer:
o The overlap/re-use in the data-types and structures parts of the
documents.  For example, does a userID in DSML map to a SAML userID?  How
are resources identified/named?
o the relationship between the encoding rules.  DSML defines ( I assume so
at any rate) rules for encoding a graph of directory information.  SAML will
similarly define mechanisms for encoding a graph or collection of assertions
and requests. 
o the data-types and schemata languages used.  SAML appears to be leaning to
XML Schema, while I'm not sure about DSML
o The relationship between the request/response styles.  DSML must define a
syntax for request/response, as will SAML.   What do the push/pull requests
look like?
o Security/Authentication.  How does a DSML partner authenticate versus SAML
partners. 

On the subject of overlap in the use cases, it seems to me that the Single
sign-on use case of SAML has potential of overlap with DSML, especially with
session management.  There is a request/response interaction that SAML
describes to keep authentication state shared between 2 entities.  With
session, there is effectively a repository (ala LDAP?) on either side that
need synchronization.  Perhaps the SSO pull could be encoded as a DSML
Query, and the session management could be encoded as a DSML add/delete
request.

It also seems that the authorization use case of SAML has overlap, because
SAML authorization is a query about whether a user can access a resource.
DSML probably has defined relationships between users and resources, as well
as a query grammer so a SAML authorization query could look like a DSML
query.  The DAML submission shows an example of an encoding of a query in a
graph format ( as opposed to XQuery/SQL's string syntax).

This one really troubles me as I'm not sure how arbitrarily complex these
queries can be "Can user X acting as role Y working for company Z accessing
system from A with credential B access Resource R?".  James, we've spoken
before about the overlap of UDDI queries and XQuery.  It seems that
authorization questions are based upon completely arbitrary graphs of
information that is not standardizable, so a completely general syntax like
XQuery is needed.  Particularly interesting is that it looks like there will
be an XML Access control group defining security policies in XML Graphs.
Logically a query facility of XACML would use XQuery.  

These are just my first brush thoughts to try to drive to another level.  

Cheers,
Dave   

> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@east.sun.com]
> Sent: Thursday, March 29, 2001 12:16 PM
> To: James Tauber
> Cc: 'DeSouza, Edwin'; 'eve.maler@east.sun.com'; Orchard, David
> Subject: RE: SAML and DSML 2.0
> 
> 
> Hi James,
> 
> At 01:05 PM 3/29/01 -0500, James Tauber wrote:
> 
> >There seem to be two aspects to the relationship between 
> SAML and DSML:
> >
> >1. the role DSML might play in accessing user information 
> for use by SAML
> >2. the role SAML might play in providing auth for DSML queries and
> >modifications
> 
> Sounds about right to me.
> 
> We may want to ensure that there's a use-case scenario (this 
> is what we're 
> calling our specific instances of high-level use cases) that 
> has a DSML 
> connection, in your #1 sense.  Dave, perhaps you could 
> comment on this.
> 
> >Are there any common people between the two groups---someone 
> that could act
> >as a liason?
> 
> Our current member list is at:
> 
>    http://www.oasis-open.org/committees/security/members.shtml
> 
> Is there an equivalent list at dsml.org?  I couldn't find one.  I can 
> certainly bring up the issue of liaison with DSML at our next 
> SSTC telecon 
> (3 April).  James, if you're interested, I can even have you join the 
> meeting and speak for a moment on what's going on with DSML.
> 
>          Eve
> --
> Eve Maler                                             +1 781 442 3190
> Sun Microsystems XML Technology Development  eve.maler @ east.sun.com
>