RE: [security-services] Comment on SAML implementations and their inter-op properties

["Mishra, Prateek" <pmishra@netegrity.com>]

I think we all been somewhat distracted with a whole range of issues at the
time this message appeared. 

http://burtongroup.com/weblogs/danielblum/

The key part is:

"1) OASIS, or an appropriate third party, should arrange for a reference
implementation, or test harness, of SAML to be created against which all
implementers can freely test over the network. This alone may be sufficient
to solve the brunt of the interoperability issue, and it should be possible
to create such an implementation using OpenSAML or SourceID in less than 90
days. As a follow up OASIS or an appropriate third party could also arrange
for recurring interoperability testing events similar to those Liberty
Alliance has announced."

I would like to see this discussed further within the TC and explore how to
support this. We should begin with SAML 1.X and consider also how we will
support SAML 2.0 in the future. 

With SAML 1.0 in substantial deployment, Netegrity is now receiving inputs
on some of the problems with it. And one of the simplest is: how do we know
whether your products will inter-operate with vendor X? Or, we had such and
such problem and we think its because you guys made a mistake in the ZZZ
profile of SAML. There is also an emerging "perception" problem --- these
SAML guys aren't serious about on-the-wire interoperability, or they want to
sell consulting services or something. All of this is going to dilute the
value of SAML 1.X today and SAML 2.0 going forward.

Some kind of certification claim would really help with deployment. It would
also genuinely separate the situations where consulting is needed versus
basic inter-operability. It doesn't have to be a big formal procedure with
lots of organizations involved. 

For example, some vendors are supporting SAML toolkits. Would there be
interest amongst vendors to sponsor a third-party to create a test-suite
around the two web browser profiles in SAML 1.X and make them available to
the community? The SAML toolkit vendor gets the glory and the community gets
a test harness. But some investment would need to be made to build the test
harness and host it etc.


- prateek

-----Original Message-----
From: Eve L. Maler [mailto:eve.maler@sun.com] 
Sent: Monday, November 10, 2003 1:58 PM
To: 'security-services@lists.oasis-open.org'
Subject: Re: [security-services] Comment on SAML implementations and their
inter-op properties

Interesting and timely feedback.

The issue of working on a test suite came up in the September meeting, 
but we didn't get very far with it.  Perhaps we should see if Daniel 
Blum's exhortation makes it more attractive for some SAML participants 
to take on this resource-intensive task.  At the least, should we be 
planning additional interop events for various scenarios?

Regarding having a a "must-implement profile": This seems a little weird 
to me if you look at the entire range of possible and existing profiles, 
though if we couched it in terms like "*If you're doing SSO*, you must 
support XYZ profile" it would make more sense.  We discussed this idea 
very early on; maybe it's time to revisit it.

Regarding "cookbook" material, we are indeed creating more outreach 
materials, including executive and technical overviews and the FAQ. 
Maybe we (John Hughes and I?) should contact Daniel about this and offer 
the opportunity to review and make suggestions.

	Eve

Mishra, Prateek wrote:

> http://burtongroup.com/weblogs/danielblum/
> 
> - prateek
> 
> Prateek Mishra
> Director, Tech&Arch
> Netegrity
> 
> p: 781-530-6564
> c: 617-875-4970
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.