[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] Introduction & Question about the "heaviness" of SAML
Hi Adam, So is this going to dove-tail back into anything with Jabber? If you're looking at SSO (which SAML can definitely play a part) you should check out what we're doing in Internet 2 with Shibboleth (http://middleware.internet2.edu/shibboleth) and WebISO (http://middleware.internet2.edu/webiso). Possibly you could also look into what's going on in with PingID (http://www.pingid.com). I would advise getting more involved with one of those scenarios than trying to do your own. The last thing the world needs is another SSO option since one of the things preventing more wide-spread adoption is that there's too many non-interopable options now. I've also made the argument at the recent I2 meetings that everyone focuses on authentication when it's authorization that's the kicker. It's relatively easy to pass around SSO authentication tickets (which is why there's so many freakin' different options out there). The more criticial & harder piece to solve is standardizing authorization information which is the point that SAML is trying to solve. SAML isn't perfect. But nothing is. And it's got a lot more traction than anything else out there. If you have questions about I2 stuff -- you can email me offline as well at mark.wilcox@webct.com. Mark -----Original Message----- From: Adam Theo [mailto:theo@theoretic.com] Sent: Saturday, November 09, 2002 2:29 PM To: saml-dev@lists.oasis-open.org Subject: [saml-dev] Introduction & Question about the "heaviness" of SAML Hello, all. I'm new to the list, and signed up to better understand SAML. I'm looking into it as a possible solution for an open source single sign-on platform, although it's going to be a bit of a battle to talk my co-developer into it since he's convinved SAML is too bloated and cumbersome. But, I'm trying to fully understand it so I can try to find ways to simplify the spec for our needs. Currently my co-developer's idea for SSO is very simple (a bonus), but not easily interoperable with industry standards(IMO) and possibly not very resistant to forgery and other security hazards. I'd like to find a way to use his basic idea from within SAML so that we can easily build gateways to Liberty, Shibboleth, and other SAML-based systems. His idea is based off of a simple hash string, called a Ticket, that is passed to the requesting service by the user's identity host. This Ticket is used to identify the session the user has with the service, as well as tell the service that the identity host has validated the user. I suppose I could start by asking a question based on his primary argument. I'm trying to read through the specification now, and I think it is true from what I've read, but would like to make sure from people who are very familiar with SAML. Is the ability to store information in the assertion that allows the recipient to verify the validity of the assertion without a network connection, such as after the network connection is dropped, mandatory? Or is all of that information optional if our system will require a network connection to operate? Sorry if this is a bit vague, I'm stumbling into new territory here, and not entirely sure of the concepts yet. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC