OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Getting more work done on the FAQ


I took an AI on today's call to collect and send out FAQs.  I'd like to 
get the following from all of you (please send me mail directly, unless 
you think the TC would benefit from seeing your response):

- Comments on the existing FAQ answers
- Comments on which new questions are most important to address soon
- Suggestions for additional questions
- Signups to draft some answers (for either new questions, or improved
   answers to existing questions)

The existing FAQ is here:

   http://www.oasis-open.org/committees/security/faq.php

It covers the following questions:

1. General
     Q: What is SAML?
     Q: What is the need for this specification?
     Q: What has the SAML TC produced to date and what is the roadmap ?
     Q: Who should be involved in this effort ?
     Q: Who will benefit from this work and how?
     Q: How does this work compare with related efforts at other 
standard organizations?
2. Technical
     Q: What is the connection between acts of authentication and SAML 
authentication assertions?
     Q: How does SAML protect against "man-in-the-middle" and "replay" 
security attacks in general?
     Q: How is trust established between a client and a SAML authority?
     Q: Will SAML PDPs need to be configured to understand only selected 
authorization decision queries?
     Q: I don't currently use SOAP. Do I need to invent my own protocol 
for requesting and getting SAML assertions?

Following are additional questions for which written answers don't 
exist.  Some of these overlap; I'm just documenting them all in one 
place for the first time, and it's interesting to see which come up 
multiple times:

Collected in late 2001/early 2002, mostly contributed by Edwin DeSouza 
(in this case, I did remove the ones we covered above):

1. General
     Q: Where is SAML being standardized?
     Q: Who is participating in SAML?
     Q: What will be the benefit of having all the major security 
vendors implement SAML?
2. Features and Benefits
     Q: Does SAML provide facilities for authentication?
     Q: Does SAML provide facilities for authorization and access control?
     Q: Does SAML provide facilities for distributed session management?
     Q: Can SAML be used to provide SSO for web services?
     Q: Can SAML be used to provide SSO for web applications (pure HTML 
clients)?
     Q: Can SAML be used to provide SSO for web-enabled legacy 
applications (Citrix/Transfuse to Legacy client/server applications)?
     Q: Can SAML be used to provide SSO across a set of applications 
within an enterprise (intranet)?
     Q: Can SAML be used to provide SSO across a set of applications 
across a set of enterprises (extranet) and across firewalls?
     Q: Can SAML provide SSO across various OS, directory, database, 
firewalls, etc. combinations?
3. SAML and Other Technologies
     3.1. Relationship to Other Standards
         Q: How does SAML work with XML? Is XML required?
         Q: How does SAML work with HTTP and HTTPS? Is HTTPS or HTTP 
required?
         Q: How does SAML work with SOAP? Is SOAP required?
         Q: How does SAML work with SSL and TLS?
         Q: How does SAML work with PKI?
         Q: How does SAML work with other authentication devices?
         Q: How does SAML work with LDAP?
         Q: How does SAML work with XKMS (Key Management Specification)?
         Q: How does SAML work with XACML (Access Control Markup Language)?
         Q: How does SAML work with PSML (Provisioning Services Markup 
Language)?
         Q: How does SAML work with DSML (Directory Services Markup 
Language)?
         Q: How does SAML work with Kerberos?
         Q: How does SAML work with XML Signature?
         Q: How does SAML work with XML Encryption?
     3.2. Relationship to Other Single Sign-On Frameworks
         Q: How does SAML work with Microsoft Passport?
         Q: How does SAML work with Project Liberty?
4. Technical
     Q: How can I trust/verify a SAML transaction?
     Q: Is there a mechanism for telling a remote party that someone's 
authentication has now expired?
     Q: Can SAML appear in both the header and the body of a SOAP message?
     Q: Will SAML PDPs need to be configured to understand only selected 
authentication decision queries?

Suggested/asked by various people over the past few months:

Q: What is federated identity?
Q: How are SAML and Liberty related wrt federated identity?
Q: Can I share attribute information with SAML? Can I share 
authorization information with SAML?  (In order to highlight the 
"non-authentication" parts of SAML)
Q: Will the use of XML/SAML hurt the performance of transactions?
Q: Can I use XrML or XACML or both with SAML?
Q: What are the differences between SAML and Liberty?
Q: What is the relation between SAML, XACML, XRML, and SPML?  (This was 
from a public comment.  Further questions here: "It seems that for 
example for an access control system there is no clear-cut for which 
standard is applicable (assuming of course that standards are of 
interest).  In case all four apply, what are the areas of conflict 
between the four or any couple?  How about maturity and industry 
acceptance?  Obviously SAML is in good condition in this respect.  How 
about the others?")
Q: How do I use SAML on Citrix architectures?
Q: How do you maintain persistence of SAML assertions?
Q: How do you manage lifetime of SAML assertions?
Q: How do you squeeze more content into SAML when you wish to mix (more) 
authentication with attributes?
Q: Why use SAML - is it secure ? (further comment from this person: 
"answer: the threats (list) have all been examined, worked through, and 
it is the only such set of constructs in the public domain")
Q: Performance - can one use SAML for non-web based applications ? And 
if so how is best?
Q: What is the position today of SAML with respect to Liberty?

Thanks for your input,

	Eve
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]