OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [saml-dev] Introduction & Question about the "heaviness" of SAML


Mark Wilcox wrote:
> Hi Adam,
> So is this going to dove-tail back into anything with Jabber?

LOL, nope, not any time soon, anyway. It's a seperate project I'm 
working on.

Hiya Mark. Good seeing you here.

> If you're looking at SSO (which SAML can definitely play a part) you should
> check out what we're doing in Internet 2 with Shibboleth
> (http://middleware.internet2.edu/shibboleth) and WebISO
> (http://middleware.internet2.edu/webiso).

Yeah, I recently took a look at Shib, and am really liking it. I want to 
build an SSO system based off it.

> Possibly you could also look into what's going on in with PingID
> (http://www.pingid.com).

Yeah. /me raises his hand. That's me. Well, I'm leading the pingid.org 
side of it now, anyway, along with Mike, the guy who I'm trying to 
convince that SAML really isn't that bad. Ignore the "SourceID" 
reference on the front page of pingid.org for now. The .com guys are 
tossing us around, trying to figure out if they want the open protocol 
renamed, and then what to. In the mean time I'm just sitting back, 
rubbing my forehead, trying to prevent a headache from coming on....

> I would advise getting more involved with one of those scenarios than trying
> to do your own. The last thing the world needs is another SSO option since
> one of the things preventing more wide-spread adoption is that there's too
> many non-interopable options now.
> 
> I've also made the argument at the recent I2 meetings that everyone focuses
> on authentication when it's authorization that's the kicker. It's relatively
> easy to pass around SSO authentication tickets (which is why there's so many
> freakin' different options out there). The more criticial & harder piece to
> solve is standardizing authorization information which is the point that
> SAML is trying to solve.

Yes, I agree. Mike and I have decided that PingID will focus on 
Authorization as our selling point. Shib is cool and all, but it really 
seems to focus on anonymity as a means to privacy rather than strict and 
powerful access control.

> SAML isn't perfect. But nothing is. And it's got a lot more traction than
> anything else out there.

Yep, that's why I think PingID Protocol really should use SAML instead 
of creating its own SSO system, which is what Mike has drafted up: 
http://www.pingid.org/?Tickets

What I'm looking for right now are counter-arguments to the points Mike 
is bringing up with respects to SAML. I'm reading the specs, and am more 
or less understanding them, but it is proving to be alot to bend my 
brain around.

> If you have questions about I2 stuff -- you can email me offline as well at
> mark.wilcox@webct.com.

Sure, will do. I'm interested in taking alot of ideas Shib has, as well 
as making sure PingID is easily Shib-compatible.

> Mark




> -----Original Message-----
> From: Adam Theo [mailto:theo@theoretic.com]
> Sent: Saturday, November 09, 2002 2:29 PM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Introduction & Question about the "heaviness" of
> SAML
> 
> 
> Hello, all.
> 
> I'm new to the list, and signed up to better understand SAML. I'm
> looking into it as a possible solution for an open source single sign-on
> platform, although it's going to be a bit of a battle to talk my
> co-developer into it since he's convinved SAML is too bloated and
> cumbersome. But, I'm trying to fully understand it so I can try to find
> ways to simplify the spec for our needs.
> 
> Currently my co-developer's idea for SSO is very simple (a bonus), but
> not easily interoperable with industry standards(IMO) and possibly not
> very resistant to forgery and other security hazards. I'd like to find a
> way to use his basic idea from within SAML so that we can easily build
> gateways to Liberty, Shibboleth, and other SAML-based systems. His idea
> is based off of a simple hash string, called a Ticket, that is passed to
> the requesting service by the user's identity host. This Ticket is used
> to identify the session the user has with the service, as well as tell
> the service that the identity host has validated the user.
> 
> I suppose I could start by asking a question based on his primary
> argument. I'm trying to read through the specification now, and I think
> it is true from what I've read, but would like to make sure from people
> who are very familiar with SAML.
> 
> Is the ability to store information in the assertion that allows the
> recipient to verify the validity of the assertion without a network
> connection, such as after the network connection is dropped, mandatory?
> Or is all of that information optional if our system will require a
> network connection to operate? Sorry if this is a bit vague, I'm
> stumbling into new territory here, and not entirely sure of the concepts
> yet.
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC