Re: [security-services] Non-browser HTTP binding for SAML

[George Fletcher <george.fletcher@corp.aol.com>]

Scott Cantor wrote:
>> So, I guess the ultimate question is whether there is interest in making
>> a HTTP binding for the SAML protocol that doesn't require SOAP and
>> supports direct server-to-server calls.  In thinking more about this, it
>> might be just as easy to support an OAuth compatible binding.  Google is
>> supporting RSA signing with OAuth so I believe we could achieve
>> equivalent security.
>>
>> Another option would be to just extend SimpleSign to support signing of
>> arbitrary HTTP based messages. I think all that is needed here is to
>> allow the message to specify the parameters that need to be signed.
>> Basically, just add a 'Signed' parameter that in the SAML case could be
>> 'SAMLRequest,RelayState,SigAlg'. Of course the Signed parameter would be
>> signed and we'd have to describe how to build the signature-base-string.
>>     
>
> I think one question here (separate from the question of whether SAML needs
> a synchronous HTTP binding) is whether this should be defined by SAML, or
> whether somebody needs to solve the generic problem of signing HTTP (I think
> the answer is yes, queue the S-HTTP discussion, etc.)
>
> A perhaps related blog post:
> http://blog.jclark.com/2007/10/why-not-smime.html
>
> If nobody's going to solve that, then I suppose we could, but it seems to me
> that, for one thing, it's easier when going server to server to be able to
> pass the XML as the MIME body, rather than have to screw around with form
> posting. I would think that would be the "natural" way to do such a binding,
> but it sounds like your use case would need the ability to use a form post.
> Although I suppose you could use an Extension.
>
> -- Scott
>
>   
Interestingly I was having a similar conversation (one of the reasons I 
was late to the call). Dealing with "form posted" content even in a 
server-to-server mechanism isn't difficult because most of the tools 
handle this for you. So the servlet just pulls them apart and puts them 
in a hash-map. However, the point is well made... and if some transport 
mechanism allowed for signing that would be fine. At AOL we don't 
require the "form post" syntax, but are just using it because it more 
closely matches what's already in SimpleSign and we were/are trying to 
stay as close to the standard as possible.

Thanks,
George

P.S. I'm guessing an OAuth binding would also just put the XML in 
plaintext in the message and would remove the "form post" syntax. The 
only reason to keep something like the "form post" syntax is if 
additional elements are desired to be combined with the SAML message.

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher@corp.aol.com
AOL LLC                           Home: gffletch@aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com