OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

members message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [OASIS members] SAML Committee Specification for consideration asOASIS Standard


OASIS members:

The OASIS Security Services TC has submitted the SAML V1.0
specification, which is an approved Committee Specification, for
review and consideration for approval by OASIS members to become an
OASIS Standard. In accordance with Section 2 of the OASIS Technical
Process (see http://www.oasis-open.org/committees/process.shtml#sec2),
OASIS members have one calendar quarter to review this submission then
30 days for voting. The review will take place from 1 July to 30
September 2002, and I will call for a vote on 1 October 2002; each
OASIS member organization will have a single vote on the ballot.

During the member review period comments may be sent to the TC via the
TC's comment list at security-services-comment@lists.oasis-open.org.
You must subscribe to the list first before posting; go to
http://lists.oasis-open.org/ob/adm.pl

The OASIS TC has supplied the following required items for OASIS
members to review:

------------

As a result of a unanimous vote of the Security Services Technical
Committee conducted on Tuesday 28 May 2002, the TC co-chairs hereby
submit the SAML 1.0 specification for consideration as an OASIS
Standard.

Pursuant to the process stipulated in Section 2 of the OASIS Technical
Committee Policy, the TC has published:

(a) A formal specification that is a valid member of its type.
(b) Appropriate documentation for the specification.

This material, in the currently recommended OASIS format, is available
on the TC web site at
http://www.oasis-open.org/committees/security/#documents

These are the normative documents related to the specification.

* Assertions and Protocol
http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf

   * Assertion Schema
http://www.oasis-open.org/committees/security/docs/cs-sstc-schema-asse
rtion-01.xsd

   * Protocol Schema
http://www.oasis-open.org/committees/security/docs/cs-sstc-schema-prot
ocol-01.xsd

* Bindings and Profiles
http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-01
.pdf

* Conformance Program Specification
http://www.oasis-open.org/committees/security/docs/cs-sstc-conform-01.
pdf

* Glossary
http://www.oasis-open.org/committees/security/docs/cs-sstc-glossary-01
.pdf


Non-normative information related to the specification:

* Security and Privacy Considerations
http://www.oasis-open.org/committees/security/docs/cs-sstc-sec-conside
r-01.pdf

* Open issues summary document
http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-iss
ues-status-06.pdf

* Issues list
http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-iss
ues-12.pdf

* Errata document describing changes from the 00 to the 01 revision
http://www.oasis-open.org/committees/security/docs/draft-sstc-cs-errat
a-04.pdf



(c) A clear English-language summary of the specification.

The Security Assertion Markup Language (SAML) is an XML-based
framework for exchanging security information. This security
information is expressed in the form of assertions about subjects,
where a subject is an entity (either human or computer) that has an
identity in some security domain. A typical example of a subject is a
person, identified by his or her email address in a particular
Internet DNS domain.

Assertions can convey information about authentication acts performed
by subjects, attributes of subjects, and authorization decisions about
whether subjects are allowed to access certain resources. Assertions
are represented as XML constructs and have a nested structure, whereby
a single assertion might contain several different internal statements
about authentication, authorization, and attributes. Note that
assertions containing authentication statements merely describe acts
of authentication that happened previously.

Assertions are issued by SAML authorities, namely, authentication
authorities, attribute authorities, and policy decision points. SAML
defines a protocol by which clients can request assertions from SAML
authorities and get a response from them. This protocol, consisting of
XML-based request and response message formats, can be bound to many
different underlying communications and transport protocols; SAML
currently defines one binding, to SOAP over HTTP.

SAML may be profiled to enable Single Sign-On (SSO), the ability of a
user to authenticate in one domain and use resources in other domains
without re-authenticating. The SAML specifications define two Web
Browser SSO Profiles. However, note that SAML can be profiled to
support various non-SSO-specific usage scenarios, such as in
authorization systems.


(d) Certifications of implementation

The chairs are pleased to report that more than 10 companies have
provided attestations of implementation and use for SAML 1.0. As SAML
1.0 conformance allows for modular implementation of the
specification, the committee has determined that each aspect of the
specification has been implemented by at least 5 companies. All
implementers have been made aware of IPR claims regarding the
specification and insofar as any processes have been established for
complying with these claims, each implementer believes they have taken
adequate steps to comply with any such rights, or claimed rights.

A complete list of attestations from implementers are available in the
Security Services TC e-mail archives. The following representative
list of attestations of implementation and acknowledgment of IPR
claims satisfies the OASIS requirement for submitting a specification
for review:

Sun Microsystems
http://lists.oasis-open.org/archives/security-services/200205/msg00040
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00021
.html

Oblix
http://lists.oasis-open.org/archives/security-services/200205/msg00045
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00019
.html

Quadrasis
http://lists.oasis-open.org/archives/security-services/200205/msg00038
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00029
.html

CrossLogix
http://lists.oasis-open.org/archives/security-services/200205/msg00037
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00026
.html

Entrust
http://lists.oasis-open.org/archives/security-services/200205/msg00074
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00027
.html

Internet2
http://lists.oasis-open.org/archives/security-services/200205/msg00030
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00028
.html

Novell
http://lists.oasis-open.org/archives/security-services/200206/msg00000
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00030
.html

Sigaba
http://lists.oasis-open.org/archives/security-services/200205/msg00043
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00031
.html

Baltimore
http://lists.oasis-open.org/archives/security-services/200205/msg00042
.html
http://lists.oasis-open.org/archives/security-services/200206/msg00033
.html


(e) History of previous OASIS standardization attempts.

There have been no past attempts to submit SAML for OASIS
standardization.

(f) Publicly visible comments archive.

The Security Services TC comment archive can be found at
http://lists.oasis-open.org/archives/security-services-comment/

(g) OASIS IPR policy statement.

The chairs certify that all members of the TC have been provided with
a copy of the OASIS IPR policy.


Respectfully submitted,

Joe Pato & Jeff Hodges
Co-Chairs OASIS Security Services TC


</karl>
=================================================================
Karl F. Best
OASIS - Director, Technical Operations
+1 978.667.5115 x206
karl.best@oasis-open.org  http://www.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC