RE: [security-services] Groups - Draft Webinar on SAML 2.1 Plans uploaded

[Hal Lockhart <hal.lockhart@oracle.com>]

> On Mon, Jul 9, 2012 at 1:52 PM, Hal Lockhart <hal.lockhart@oracle.com>
> wrote:
> > 1.      Should we try to characterize SAML deployments to date?
> 
> Yes.  I still get "does anyone really use this" questions despite us
> (the shib folks) having literally tens of thousands of deployments
> within HE, govt., healthcare, and finance.  As Scott and I have noted
> internally to the project; we're awful at marketing but there actually
> is some good data here if anyone could express it well.  But, see my
> comments for #2

Does anyone have any raw data or general characterizations I can use? I will be glad to work it up into slides, but I simply don't know anything precise I can say. I know there are "many" deployments and some are "very large" but other than certain specific ones, like Internet2 I don't know specifics. 

> 
> > 2.      Is there enough background for those not familiar with SAML?
> 
> I guess it depends on your audience.  If we're targeting people who
> aren't familiar with SAML I'd say you're going to need way more than
> the 20 minutes I've heard suggested.  I think, for this talk, I would
> target people already familiar with the spec and then, if we choose,
> have a follow on talk that is more for "noobs".

I agree that anybody attending the Webinar is likely to have some basic familiarity with SAML.

> 
> > 3.      Is there enough detail for those familiar with SAML?
> 
> Hard for me to judge.  I don't know what such people would really be
> looking for.  I feel like slide 7 might be better off as two slides
> with the names of the various profiles.  Those are usually fairly self-
> descriptive (if one is familiar with SAML already).

I assume you mean slide 6, the one with the table of the number of Profiles by Category. If I try to list all the titles of the 28 profiles, it will take at least 4 slides, assuming I can get each title on a single line and the type is large enough to read. (As a matter of principle I never put up an unreadable list or chart just to show there is a lot of something or that something is complicated.)

For the 2009 Report to ITU/T, which this set is partly based on, there were 18 Profiles which took me 7 slides to cover, with a small amount of explanatory material. I must respectfully disagree that the titles are self explanatory. Consider:

Metadata Profile for SAML V1.x
Metadata Extension for SAML V2.0 and V1.x Query Requesters
Metadata Extension for Entity Attributes
Metadata Interoperability Profile

Or

SAML V2.0 Attribute Extensions
Attribute Sharing Profile for X.509 Authentication-Based Systems
Subject-based Profiles for SAML V1.1 Assertions
Deployment Profiles for X.509 Subjects
X.500/LDAP Attribute Profile

Personally I have to refer to the summaries just to remember what they are about. I found the entire list pretty mind numbing. However if others agree with Chad, I will try to compress them into 4-5 slides.

Hal