[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Introduction & Question about the "heaviness" of SAML
Hello, all. I'm new to the list, and signed up to better understand SAML. I'm looking into it as a possible solution for an open source single sign-on platform, although it's going to be a bit of a battle to talk my co-developer into it since he's convinved SAML is too bloated and cumbersome. But, I'm trying to fully understand it so I can try to find ways to simplify the spec for our needs. Currently my co-developer's idea for SSO is very simple (a bonus), but not easily interoperable with industry standards(IMO) and possibly not very resistant to forgery and other security hazards. I'd like to find a way to use his basic idea from within SAML so that we can easily build gateways to Liberty, Shibboleth, and other SAML-based systems. His idea is based off of a simple hash string, called a Ticket, that is passed to the requesting service by the user's identity host. This Ticket is used to identify the session the user has with the service, as well as tell the service that the identity host has validated the user. I suppose I could start by asking a question based on his primary argument. I'm trying to read through the specification now, and I think it is true from what I've read, but would like to make sure from people who are very familiar with SAML. Is the ability to store information in the assertion that allows the recipient to verify the validity of the assertion without a network connection, such as after the network connection is dropped, mandatory? Or is all of that information optional if our system will require a network connection to operate? Sorry if this is a bit vague, I'm stumbling into new territory here, and not entirely sure of the concepts yet.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC