Re: W3C WG vs SAML ?? Fwd: [security-services] Official statement to W3C WG about impact on SAML?

[Jamie Clark <jamie.clark@oasis-open.org>]

 Chet's out for a few days on holiday. Scott C, it seems to me that we could offer a comment. Better if it has the general assent of this TC.Â

ÂÂÂ Are those who are subscribed here comfortable with Scott's take, if phrased politely - breaks both SAML and OpenID?

ÂÂÂ Is there a pointer to the compromise proposal?

ÂÂÂ Any comment from the TC chairs, Hal and Thomas?

ÂÂÂ Also, as a minor point, SAML is an OASIS and ITU-T standard (Rec X.1141), not ISO.

regards JAMIE

---------- Forwarded message ---------
From: Cantor, Scott <cantor.2@osu.edu>
Date: Thu, Mar 30, 2023 at 11:58âAM
Subject: [security-services] Official statement to W3C WG about impact on SAML?
To: SAML <security-services@lists.oasis-open.org>

There have been continued conversations (and one workshop) with some of the players in the browser space that are active in the W3C privacy WG that's proposing various browser changes.

The general status right now is that the main FedCM draft proposal is just an outright break of both SAML and OpenID Connect, with (IMHO) no obvious "tweak" possible to fix it.

A proposal has been formulated for discussion for a lighter-weight consent-oriented proposal in place of the full FedCM work that would be 99% compatible with the existing SSO protocols (a small _javascript_ addition to the SP/RP end).

There is some sense that having an official-ish statement from OASIS or at least the SSTC that "hey, SAML is an ISO standard and your proposal breaks it in a way that isn't just easily fixable, a different approach is needed for a number of years if we need to effect a transition away from existing protocols".

Is that something we could consider?

We don't know who else we can come up with that the W3C or this WG might hear.

-- Scott

--

Paul Knight....Document Process Analyst

OASIS...Setting the standard for open collaboration