Requesting SAML 1.1 Committee Specification for consideration as OASIS Standard

["Philpott, Robert" <rphilpott@rsasecurity.com>]

As a result of a unanimous vote of the Security Services Technical Committee conducted on Tuesday, 01-July-2003, the TC co-chairs hereby submit the SAML 1.1 specification for consideration as an OASIS Standard. Minutes for this meeting are posted at: http://lists.oasis-open.org/archives/security-services/200307/msg00002.html.

 

Pursuant to the process stipulated in Section 2 of the OASIS Technical Committee Process, the SSTC has published:

 

1. "A formal specification that is a valid member of its type, together with appropriate documentation for the specification, both of which must be written using approved OASIS templates."  The SAML 1.1 Specifications are available in a Zip file format from the SSTC Web site at:
• http://www.oasis-open.org/committees/download.php/2791/sstc-saml-1.1-cs-02.zip

 

The individual normative documents are available at:

·         http://www.oasis-open.org/committees/download.php/2790/sstc-saml-core-1.1-cs-02.pdf

·         http://www.oasis-open.org/committees/download.php/2281/sstc-saml-bindings-1.1-cs-01.pdf

·         http://www.oasis-open.org/committees/download.php/2282/sstc-saml-conform-1.1-cs-01.pdf

·         http://www.oasis-open.org/committees/download.php/2284/sstc-saml-glossary-1.1-cs-01.pdf

·         http://www.oasis-open.org/committees/download.php/2287/sstc-saml-schema-protocol-1.1-cs.xsd

·         http://www.oasis-open.org/committees/download.php/2286/sstc-saml-schema-assertion-1.1-cs.xsd

 

The following non-normative document is also considered part of the submission:

·         http://www.oasis-open.org/committees/download.php/2285/sstc-saml-sec-consider-1.1-cs-01.pdf

 

The following additional non-normative documents describe errata and issues dealt with by the SSTC during its work on SAML 1.1.

·         http://www.oasis-open.org/committees/download.php/2755/sstc-saml-errata-1.1-draft-14.pdf

·         http://www.oasis-open.org/committees/download.php/2665/sstc-saml-1.1-issues-draft-01.pdf

 

2. "A clear English-language summary of the specification".

 

The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain.

 

Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes. Note that assertions containing authentication statements merely describe acts of authentication that happened previously.

 

Assertions are issued by SAML authorities, namely, authentication authorities, attribute authorities, and policy decision points. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding, to SOAP over HTTP.

 

SAML may be profiled to enable Single Sign-On (SSO), the ability of a user to authenticate in one domain and use resources in other domains without re-authenticating. The SAML specifications define two Web Browser SSO Profiles. However, note that SAML can be profiled to support various non-SSO-specific usage scenarios, such as in authorization systems.

 

3. "Certification by at least three OASIS member organizations that they are successfully using the specification consistently with the OASIS IPR Policy". The following OASIS SSTC members have certified to the SSTC Co-Chairs that they are successfully using the SAML 1.1 Committee Specifications consistent with the OASIS IPR Policy:
• Baltimore Technologies, Inc
• Internet2
• RSA Security, Inc
• Sigaba, Inc

 

4. "An account of or pointer to the comments/issues raised during the public review period, along with their resolution". The following comments were raised during the SAML 1.1 Public Review:
• http://lists.oasis-open.org/archives/security-services/200305/msg00148.html - This comment was addressed at the 10-June SSTC meeting. See minutes at http://lists.oasis-open.org/archives/security-services/200306/msg00006.html
• http://lists.oasis-open.org/archives/security-services/200305/msg00150.html -This comment was addressed by PE23 in the errata document listed above.
• http://lists.oasis-open.org/archives/security-services/200306/msg00018.html - This comment was addressed during the 1-July SSTC meeting. See minutes at: http://lists.oasis-open.org/archives/security-services/200307/msg00002.html.

 

5. "An account of or pointer to votes and comments received in any earlier attempts to standardize substantially the same specification, together with the originating TC's response to each comment". There were no earlier attempts to standardize this specification.

 

6. "A pointer to the publicly visible comments archive for the originating TC".  The publicly available comments archive for the SSTC are available at:

·         http://lists.oasis-open.org/archives/security-services-comment/

 

7. "A statement from the chair of the TC certifying that all members of the TC have been provided with a copy of the OASIS IPR Policy". This statement is available at:

·         http://lists.oasis-open.org/archives/security-services/200307/msg00027.html

 

 

Rob Philpott
RSA Security Inc.
The Most Trusted Name in e-Security
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com