[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: IBM position on charter text (WAS: Groups - sstc-saml-charter-2.0-draft-02.doc uploaded)
Hi Tony, This note refers to your message: http://lists.oasis-open.org/archives/security-services/200311/msg00039.html My comments are based on internal discussion at Netegrity, discussions with our customers, as well as my association with the SSTC (and SAML) since its inception. (1) SAML 1.X comprises both an XML syntax for expressing authentication and authorization as well as "profiles" for solving specific business problems. For example, the SAML 1.0 Bindings and Profiles document describes "Web Browser SSO Profiles" -- technology that allows a user to authenticate at one site and to securely access resources at a second site based on transfer of SAML assertions. Additional and more specific documentation from the SSTC archives wherein TC members discuss the further need for federation etc. can also be cited, but it should be clear from this component of SAML 1.X that the SSTC has always viewed protocols for identity propagation (and related processing models) as part of its problem domain. (2) I agree that developing an abstract framework for federation, one which is token independent and has additional properties such as "more modular and functionally cohesive approach" would be preferable to a SAML-only federation framework. Developing such a framework is a substantial task and, to our knowledge, has not yet been initiated or even scheduled within a standards body. In any case, I would argue that given the lack of real-life federation implementations other than those based on SAML, creation of an abstract framework would be aided by a fully-developed example of a specific instance (e.g., SAML). (3) There are a number of specifications that have built on the SAML 1.0 foundations to construct richer sets of "profiles" implementing identity federation. These include the Liberty Alliance ID-FF specifications and Shibboleth, and each of these have also received implementation. In addition, software vendors have a large number of SAML 1.X deployments supporting forms of identity federation, often with some "ad-hoc" extensions to provide functionality missing from SAML 1.X. Thus, we have a situation wherein SAML is used for federation in a large number of deployments, and customers and partners are urging us to unify these disparate but related approaches in a single SAML-based federation framework. The SSTC is responding to these market forces and has devised a charter and scope document with a short time-line so as to standardize the "next slice" of technology that the market requires. The key issue I think is one of a time-line. In the indefinite future, I believe SAML 2.0 will be subsumed by broader approaches along the lines you have outlined. However, in the near-term there is a clear market need and rationale for this TC as described in its proposed charter. --------------------------------------------------- Prateek Mishra Director, Tech&Arch Netegrity p: 781-530-6564 c: 617-875-4970
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]