OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Introduction & Question about the "heaviness" of SAML

Hi Adam,
So is this going to dove-tail back into anything with Jabber?

If you're looking at SSO (which SAML can definitely play a part) you should
check out what we're doing in Internet 2 with Shibboleth
(http://middleware.internet2.edu/shibboleth) and WebISO

Possibly you could also look into what's going on in with PingID

I would advise getting more involved with one of those scenarios than trying
to do your own. The last thing the world needs is another SSO option since
one of the things preventing more wide-spread adoption is that there's too
many non-interopable options now.

I've also made the argument at the recent I2 meetings that everyone focuses
on authentication when it's authorization that's the kicker. It's relatively
easy to pass around SSO authentication tickets (which is why there's so many
freakin' different options out there). The more criticial & harder piece to
solve is standardizing authorization information which is the point that
SAML is trying to solve.

SAML isn't perfect. But nothing is. And it's got a lot more traction than
anything else out there.

If you have questions about I2 stuff -- you can email me offline as well at


-----Original Message-----
From: Adam Theo [mailto:theo@theoretic.com]
Sent: Saturday, November 09, 2002 2:29 PM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Introduction & Question about the "heaviness" of

Hello, all.

I'm new to the list, and signed up to better understand SAML. I'm
looking into it as a possible solution for an open source single sign-on
platform, although it's going to be a bit of a battle to talk my
co-developer into it since he's convinved SAML is too bloated and
cumbersome. But, I'm trying to fully understand it so I can try to find
ways to simplify the spec for our needs.

Currently my co-developer's idea for SSO is very simple (a bonus), but
not easily interoperable with industry standards(IMO) and possibly not
very resistant to forgery and other security hazards. I'd like to find a
way to use his basic idea from within SAML so that we can easily build
gateways to Liberty, Shibboleth, and other SAML-based systems. His idea
is based off of a simple hash string, called a Ticket, that is passed to
the requesting service by the user's identity host. This Ticket is used
to identify the session the user has with the service, as well as tell
the service that the identity host has validated the user.

I suppose I could start by asking a question based on his primary
argument. I'm trying to read through the specification now, and I think
it is true from what I've read, but would like to make sure from people
who are very familiar with SAML.

Is the ability to store information in the assertion that allows the
recipient to verify the validity of the assertion without a network
connection, such as after the network connection is dropped, mandatory?
Or is all of that information optional if our system will require a
network connection to operate? Sorry if this is a bit vague, I'm
stumbling into new territory here, and not entirely sure of the concepts

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC