[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Getting more work done on the FAQ
I took an AI on today's call to collect and send out FAQs. I'd like to get the following from all of you (please send me mail directly, unless you think the TC would benefit from seeing your response): - Comments on the existing FAQ answers - Comments on which new questions are most important to address soon - Suggestions for additional questions - Signups to draft some answers (for either new questions, or improved answers to existing questions) The existing FAQ is here: http://www.oasis-open.org/committees/security/faq.php It covers the following questions: 1. General Q: What is SAML? Q: What is the need for this specification? Q: What has the SAML TC produced to date and what is the roadmap ? Q: Who should be involved in this effort ? Q: Who will benefit from this work and how? Q: How does this work compare with related efforts at other standard organizations? 2. Technical Q: What is the connection between acts of authentication and SAML authentication assertions? Q: How does SAML protect against "man-in-the-middle" and "replay" security attacks in general? Q: How is trust established between a client and a SAML authority? Q: Will SAML PDPs need to be configured to understand only selected authorization decision queries? Q: I don't currently use SOAP. Do I need to invent my own protocol for requesting and getting SAML assertions? Following are additional questions for which written answers don't exist. Some of these overlap; I'm just documenting them all in one place for the first time, and it's interesting to see which come up multiple times: Collected in late 2001/early 2002, mostly contributed by Edwin DeSouza (in this case, I did remove the ones we covered above): 1. General Q: Where is SAML being standardized? Q: Who is participating in SAML? Q: What will be the benefit of having all the major security vendors implement SAML? 2. Features and Benefits Q: Does SAML provide facilities for authentication? Q: Does SAML provide facilities for authorization and access control? Q: Does SAML provide facilities for distributed session management? Q: Can SAML be used to provide SSO for web services? Q: Can SAML be used to provide SSO for web applications (pure HTML clients)? Q: Can SAML be used to provide SSO for web-enabled legacy applications (Citrix/Transfuse to Legacy client/server applications)? Q: Can SAML be used to provide SSO across a set of applications within an enterprise (intranet)? Q: Can SAML be used to provide SSO across a set of applications across a set of enterprises (extranet) and across firewalls? Q: Can SAML provide SSO across various OS, directory, database, firewalls, etc. combinations? 3. SAML and Other Technologies 3.1. Relationship to Other Standards Q: How does SAML work with XML? Is XML required? Q: How does SAML work with HTTP and HTTPS? Is HTTPS or HTTP required? Q: How does SAML work with SOAP? Is SOAP required? Q: How does SAML work with SSL and TLS? Q: How does SAML work with PKI? Q: How does SAML work with other authentication devices? Q: How does SAML work with LDAP? Q: How does SAML work with XKMS (Key Management Specification)? Q: How does SAML work with XACML (Access Control Markup Language)? Q: How does SAML work with PSML (Provisioning Services Markup Language)? Q: How does SAML work with DSML (Directory Services Markup Language)? Q: How does SAML work with Kerberos? Q: How does SAML work with XML Signature? Q: How does SAML work with XML Encryption? 3.2. Relationship to Other Single Sign-On Frameworks Q: How does SAML work with Microsoft Passport? Q: How does SAML work with Project Liberty? 4. Technical Q: How can I trust/verify a SAML transaction? Q: Is there a mechanism for telling a remote party that someone's authentication has now expired? Q: Can SAML appear in both the header and the body of a SOAP message? Q: Will SAML PDPs need to be configured to understand only selected authentication decision queries? Suggested/asked by various people over the past few months: Q: What is federated identity? Q: How are SAML and Liberty related wrt federated identity? Q: Can I share attribute information with SAML? Can I share authorization information with SAML? (In order to highlight the "non-authentication" parts of SAML) Q: Will the use of XML/SAML hurt the performance of transactions? Q: Can I use XrML or XACML or both with SAML? Q: What are the differences between SAML and Liberty? Q: What is the relation between SAML, XACML, XRML, and SPML? (This was from a public comment. Further questions here: "It seems that for example for an access control system there is no clear-cut for which standard is applicable (assuming of course that standards are of interest). In case all four apply, what are the areas of conflict between the four or any couple? How about maturity and industry acceptance? Obviously SAML is in good condition in this respect. How about the others?") Q: How do I use SAML on Citrix architectures? Q: How do you maintain persistence of SAML assertions? Q: How do you manage lifetime of SAML assertions? Q: How do you squeeze more content into SAML when you wish to mix (more) authentication with attributes? Q: Why use SAML - is it secure ? (further comment from this person: "answer: the threats (list) have all been examined, worked through, and it is the only such set of constructs in the public domain") Q: Performance - can one use SAML for non-web based applications ? And if so how is best? Q: What is the position today of SAML with respect to Liberty? Thanks for your input, Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]