[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [saml-dev] Minutes for Tuesday's call - 5/7/2002
FYI. Sun will only participate in the west coast dry run. Thanks Bhavna >Date: Tue, 07 May 2002 14:13:01 -0400 >From: "Philpott, Robert" <rphilpott@rsasecurity.com> >Subject: [saml-dev] Minutes for Tuesday's call - 5/7/2002 >To: saml-dev@lists.oasis-open.org >MIME-version: 1.0 >List-Owner: <mailto:saml-dev-help@lists.oasis-open.org> >List-Post: <mailto:saml-dev@lists.oasis-open.org> >List-Subscribe: <http://lists.oasis-open.org/ob/adm.pl>, <mailto:saml-dev-request@lists.oasis-open.org?body=subscribe> >List-Unsubscribe: <http://lists.oasis-open.org/ob/adm.pl>, <mailto:saml-dev-request@lists.oasis-open.org?body=unsubscribe> >List-Archive: <http://lists.oasis-open.org/archives/saml-dev/> >List-Help: <http://lists.oasis-open.org/elists/admin.shtml>, <mailto:saml-dev-request@lists.oasis-open.org?body=help> >List-Id: <saml-dev.lists.oasis-open.org> > >Please send along corrections or additions! > > > >Attendees (I'm sure I messed up the spelling for some of these - sorry): > > Rob Philpott - RSA Security > > Prateek Mishra - Netegrity > > Hal Lockhart, Ryan Eberhard - Entegrity > > Don Bowen, Bahazna Bhatnagar - Sun > > Irving Reid - Baltimore > > Jahan Moreh, Sayan Chakraborty - Sigaba > > Charles Knouse - Oblix > > Don Flinn - Quadrasis > > Ken Yagen, Mingda Su, Andrew Fetterer - Crosslogix > > Ben ? - Tivoli > > > > > >ACTION ITEMS: > >1. Prateek - Send out updated B/A Profile document > >2. Don Flinn - Write up and send to the list a proposal for using SAML in >the mid and back-end tiers. > >3. Ken Yagan - If others are interested, work with those vendors and >develop a concrete, detailed proposal for demonstrating authorization >decision statements. > >4. Hal - Write a proposal for displaying interesting info to show what's >happening behind the scenes with SAML. > >5. ALL Participants - Indicate on the mailing list whether they prefer >all participants stick to just the core interop demo or whether they are >fine if some subset of vendors demonstrate additional capabilities beyond >the Browser/Artifact Profile. > >6. RSA and Sun - Ensure that systems are protected from the internet >during the dry run. > >7. Bahazna Bhatnagar or Don Bowen - Follow up on whether Sun will >participate in both dry runs. > >8. ALL - Send dumps or traces of requests and assertions to the list. >This will let folks check for ambiguities prior to the dry run. > > > >AGENDA ITEMS: > >> > >> 1. Clarify all actions related to finalizing technical focus > >> > >> As Hal and I both have said in recent emails, we must start > >> making final decisions on what will be tested and by who. > >> This needs to be at a sufficient enough detail so that there > >> are no doubts. I have a small fear that we might include too > >> much, as Prateek warned in the beginning. However, I have a > >> bigger fear that we won't include enough or that we will > >> "agree" to include something, but because of the lack of > >> detailed communication about what that means someone will be > >> left out. We absolutely must avoid either of these > >> scenarios. Personally I believe that browser profile is not > >> enough, but discussions on other aspects have not been > >> sufficient. I'm not even sure the browser profile details > >> are sufficient. This is our highest priority. > >> > > > >Prateek published a document describing the Browser/Artifact Profile flows >for the demo. Some comments were received and an update will be sent out >soon. > > > >There was quite a lengthy discussion of possible extensions to the interop >demo functionality. This fell into several categories: > > > >1. Using SAML in the mid-tier or between the mid-tier and back-ends. > > > >Qaudrasis is interested in a scenario that involves using some vendor's B/A >profile for authentication and then performing an AttributeQuery to another >vendor's authority. Several interesting points were raised during the >discussion: > >a. The current B/A Profile proposal involves a single assertion >containing both an AuthenticationStatement and an AttributeStatement. > >b. Some vendors (Baltimore, Sun, etc) did not interpret B/A Profile as a >1-step process. They were planning to use a 2 steps. First they would use >the artifact to obtain an assertion with a single AuthenticationStatement. >They would then take the Subject from that assertion and make a separate >AttributeQuery. > >c. ? Doesn't the SSO assertion specify inclusion of attributes? No. > >d. Rob - Will the 1-Step SAML Request include RespondWith elements >identifying the 2 statements required by the response? Hal - yes. > >e. Hal - If folks have a general SAML SOAP Binding responder, then the >demo could be changed. > >f. Some vendors (Entegrity, RSA, Netegrity) plan to eventually provide >support for the 2-step approach, although they probably will not be ready by >the interop date. They (and Tivoli) were in favor of keeping the 1-step >exchange for the interop. > > > >2. Support for Authorization Decision queries and statements. > >a. Ken Yagen asked whether authorization queries will be supported. Very >few vendors will have this ready. If this is desired, a concrete proposal is >needed ASAP. > > > >3. Providing visual feedback of the SAML activities going on behind the >demos. > >a. Hal - One idea would be to reserve a component of the screen to >display info showing what is going on with SAML (e.g. where authenticated, >your attributes, etc.) Hal will propose something more specific. > >4. Using the Browser/POST profile > >a. Sigaba is interested in B/P Profile. > >b. Several vendors (Sun, Entegrity, RSA, Baltimore) have it in their >plans, but don't expect to have it ready for the interop. > >c. Prateek - Doing it without DSIG is dangerous and this greatly >complicates the scenario. > > > > > > > >> 2. Review dry-run configuration details as proposed by > >> Robert Philpott from RSA > >> > >> There has just been too little of this thread for me to feel > >> good, but I don't think it should take much to have > >> something we can go with for both east and west coast > >> dry-runs. > > > >Looks fine. > > > >Hal - We don't really need inbound traffic. It just opens our systems up to >attack from the internet. > > > >Rob - the systems will be behind a firewall and will be protected. > > > >Irving - we're also running on a non-routing subnet so that limits our >exposure. > > > > > >> > >> 3. Review which companies will attend and where > >> > >> This information is in the spreadsheet I've been > >> maintaining, but won't hurt to review > >> > > > >Everyone needs to ensure that Don's spreadsheet is correct. > > > >Rob - Has email (Aravindan Ranganathan [mailto:aravind@sun.com ><mailto:aravind@sun.com> ]) indicating Sun would like to participate in dry >runs on both coasts. Need someone to confirm. > > > >Systinet may have dropped out. > > > > > >> 4. Check status on marketing progress > >> > >> I don't know that anything is going on in this area and that > >> has to change quickly. I will talk to our marketing person > >> this week, but we almost need a marketing point person. They > >> don't have to know everything, just take responsibility to > >> make sure discussions are taking place and sufficient > >> progress is occurring to insure success for that element. If > >> we fail here, we fail :-) > > > >We're leaving this one for Don to follow up. > > > >> > >> 5. Review status on each vendor's SAML development > >> > >> Not a big deal, but we should just insure that dates in the > >> spreadsheet and associated capabilities are still valid. > >> > > > >Post to the list making sure the supported functionality in the spreadsheet >is correct. > > > > > >> 6. Discuss internet testing, who may participate and how > >> > > > >Entegrity and Baltimore are trying it - should be another week before >they're ready. > > > ________________________________________________________________________ Bhavna Bhatnagar Sun Microsystems Inc. Identity Management group __o Tel: 408-276-3591 _`\<,_ (*)/ (*) ________________________________________________________________________
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC