[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [saml-dev] Hi, please help on this question about SAML
Hello-- Here is my attempt to answer your questions: Shun Xiang Yang wrote: > Hi, guys > > I'm new to SAML, so, please help on the following questions. Thanks! > > A. Questions about Figure 1 in "Asserstions and Protocol for SAML, > Committee Specification 01, 31 May 2002". > > 1. There's 3 policy repositories listed at the top of the figure. Are > they all XACML policy repositories? Or only the one for 'Policy Decision > Point' is of XACML, because XACML represents authorization and entitlement > policies, not for authentication and attribute (access) policies? SAML does not place any requirements on how the policies are stored, or even require that these policy stores exist. The diagram is illustrating the fact that the SAML authorities get external input, in many cases from policy stores. > 2. What do the dashed arrows mean? "Authentication Assertion" can be > input for "Attribute Authority" to make "Attribute Assertion"? They mean that SAML assertions can be used as auxiliary input (for example, as advice) when making a request of a SAML authority. The particular arrows and the "order" shown for the assertions shouldn't be taken too literally. > B. Question about Binding and Profile: > > 1. What's the relationship and difference between Binding and > Profile, for example, SOAP Binding and SOAP Profile? The definitions sound > good, but when applying to SOAP Binding and SOAP Profile, I'm confused. The SOAP binding says how to communicate between SAML authorities and relying parties (that is, send SAML requests and responses) using SOAP. The requests and responses are the payload. An authority is being seen as a service in and of itself. The SOAP profile (note: it's in flux at this very moment!) says how to use SAML assertions in the header of a SOAP message to help secure the "real" traffic in the payload. This is something like what's proposed in other specs such as SOAP-SEC and now WS-security, but specifically applying SAML assertions in this case. > C. Question about Authentication Request: > > 1. What message should be used when raising an Authentication > Request? Authentication Query seems to query the authentication acts > already performed. Yep, that's right. SAML authentication assertions just report on previous acts of authentication. A SAML authentication assertion request doesn't ask for somebody to be authenticated. This job is out of scope for SAML 1.0. > D. Question about the data model which SAML applied to: > > 1. The 'subject', 'resource', 'action', etc are all be described with > anyURI. The the participants in the SAML usage should describe their > subjects, resources, actions, and other data models using URI like format, > right? For example, an XML file describing the data model of their IT > system. And they should agree on this, right? Why not define > a meta-model for these data model? Subject confirmation methods, sets of actions, sets of attributes, etc. are identified by URI reference in an "XML namespace-like" fashion; SAML is agnostic on what is behind that URI, if anything. You can have RDF statements there (for example) if you want, but a SAML implementation is not required to deference the URI to find them. Resources are identified by URI reference because they are assumed to be Web resources. So it's possible they will literally be dereferenced as such. > Thanks a lot! I hope this helps, Eve > Best Regards, > > Yang Shunxiang, 杨顺祥 > IBM China Research Lab > 4F, HaoHai, #7, 5th Street, Shangdi, BEIJING, 100085, CHINA > TEL: 86-10-62986677 ext. 545 > FAX: 86-10-82899634 > E-mail: yangsx@cn.ibm.com -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 883 5917 XML Web Services / Industry Initiatives eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC