Re: [saml-dev] Hi, please help on this question about SAML

["Eve L. Maler" <eve.maler@sun.com>]

Hello-- Here is my attempt to answer your questions:

Shun Xiang Yang wrote:
> Hi, guys
> 
> I'm new to SAML, so, please help on the following questions. Thanks!
> 
> A. Questions about Figure 1 in "Asserstions and Protocol for SAML,
> Committee Specification 01, 31 May 2002".
> 
>       1. There's 3 policy repositories listed at the top of the figure. Are
> they all XACML policy repositories? Or only the one for 'Policy Decision
> Point' is of XACML, because XACML represents authorization and entitlement
> policies, not for authentication and attribute (access) policies?

SAML does not place any requirements on how the policies are stored, or 
even require that these policy stores exist.  The diagram is 
illustrating the fact that the SAML authorities get external input, in 
many cases from policy stores.

>       2. What do the dashed arrows mean? "Authentication Assertion" can be
> input for "Attribute Authority" to make "Attribute Assertion"?

They mean that SAML assertions can be used as auxiliary input (for 
example, as advice) when making a request of a SAML authority.  The 
particular arrows and the "order" shown for the assertions shouldn't be 
taken too literally.

> B. Question about Binding and Profile:
> 
>       1. What's the relationship and difference between Binding and
> Profile, for example, SOAP Binding and SOAP Profile? The definitions sound
> good, but when applying to SOAP Binding and SOAP Profile, I'm confused.

The SOAP binding says how to communicate between SAML authorities and 
relying parties (that is, send SAML requests and responses) using SOAP. 
  The requests and responses are the payload.  An authority is being 
seen as a service in and of itself.

The SOAP profile (note: it's in flux at this very moment!) says how to 
use SAML assertions in the header of a SOAP message to help secure the 
"real" traffic in the payload.  This is something like what's proposed 
in other specs such as SOAP-SEC and now WS-security, but specifically 
applying SAML assertions in this case.

> C. Question about Authentication Request:
> 
>       1. What message should be used when raising an Authentication
> Request? Authentication Query seems to query the authentication acts
> already performed.

Yep, that's right.  SAML authentication assertions just report on 
previous acts of authentication.  A SAML authentication assertion 
request doesn't ask for somebody to be authenticated.  This job is out 
of scope for SAML 1.0.

> D. Question about the data model which SAML applied to:
> 
>       1. The 'subject', 'resource', 'action', etc are all be described with
> anyURI. The the participants in the SAML usage should  describe their
> subjects, resources, actions, and other data models using URI like format,
> right? For example, an XML file describing the data model of their IT
> system.           And they should agree on this, right?     Why not define
> a meta-model for these data model?

Subject confirmation methods, sets of actions, sets of attributes, etc. 
are identified by URI reference in an "XML namespace-like" fashion; SAML 
is agnostic on what is behind that URI, if anything.  You can have RDF 
statements there (for example) if you want, but a SAML implementation is 
not required to deference the URI to find them.

Resources are identified by URI reference because they are assumed to be 
Web resources.  So it's possible they will literally be dereferenced as 
such.

> Thanks a lot!

I hope this helps,

	Eve

> Best Regards,
> 
> Yang Shunxiang, 杨顺祥
> IBM China Research Lab
> 4F, HaoHai, #7, 5th Street, Shangdi, BEIJING, 100085, CHINA
> TEL:    86-10-62986677 ext. 545
> FAX:    86-10-82899634
> E-mail: yangsx@cn.ibm.com

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 883 5917
XML Web Services / Industry Initiatives      eve.maler @ sun.com