OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: IBM position on charter text (WAS: Groups - sstc-saml-charter-2.0-draft-02.doc uploaded)


Hi Tony,

This note refers to your message:
http://lists.oasis-open.org/archives/security-services/200311/msg00039.html

My comments are based on internal discussion at Netegrity, discussions with
our customers, as well as my association with the SSTC (and SAML) since its
inception.

(1) SAML 1.X comprises both an XML syntax for expressing authentication and
authorization as well as "profiles" for solving specific business problems.
For example, the SAML 1.0 Bindings and Profiles document describes "Web
Browser SSO Profiles" -- technology that allows a user to authenticate at
one site and to securely access resources at a second site based on transfer
of SAML assertions. 

Additional and more specific documentation from the SSTC archives wherein TC
members discuss the further need for federation etc. can also be cited, but
it should be clear from this component of SAML 1.X that the SSTC has always
viewed protocols for identity propagation (and related processing models) as
part of its problem domain. 

(2) I agree that developing an abstract framework for federation, one which
is token independent and has additional properties such as "more modular and
functionally cohesive approach" would be preferable to a SAML-only
federation framework. Developing such a framework is a substantial task and,
to our knowledge, has not yet been initiated or even scheduled within a
standards body. In any case, I would argue that given the lack of real-life
federation implementations other than those based on SAML, creation of an
abstract framework would be aided by a fully-developed example of a specific
instance (e.g., SAML). 

(3) There are a number of specifications that have built on the SAML 1.0
foundations to construct richer sets of "profiles" implementing identity
federation. These include the Liberty Alliance ID-FF specifications and
Shibboleth, and each of these have also received implementation. In
addition, software vendors have a large number of SAML 1.X deployments
supporting forms of identity federation, often with some "ad-hoc" extensions
to provide functionality missing from SAML 1.X. 

Thus, we have a situation wherein SAML is used for federation in a large
number of deployments, and customers and partners are urging us to unify
these disparate but related approaches in a single SAML-based federation
framework. The SSTC is responding to these market forces and has devised a
charter and scope document with a short time-line so as to standardize the
"next slice" of technology that the market requires. 

The key issue I think is one of a time-line. In the indefinite future, I
believe SAML 2.0 will be subsumed by broader approaches along the lines you
have outlined. However, in the near-term there is a clear market need and
rationale for this TC as described in its proposed charter.

---------------------------------------------------

Prateek Mishra
Director, Tech&Arch
Netegrity
 
p: 781-530-6564
c: 617-875-4970



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]