Re: [saml-dev] SAML2.0 implementations

["Alistair Young" <alistair@smo.uhi.ac.uk>]

Hi folks,

I thought I'd just chip in my small tuppence worth on SAML toolkits. Seems
I missed the list switch and all the interesting discussions.

The toolkit that comes with Guanxi, SAMUEL (SAML Used in eLearning) is a
partial SAML1.1 implementation with a planned complete upgrade to SAML2.0,
full coverage, hopefully in the next 6 months.

I too had a lot of trouble in the early days, with SAML, profiles and
Shibboleth etc. When talking about this to non technical conferences, I
like to think of it all as the "bucket brigade". You have an urgent fire
to put out. The flames of SSO! SAML provides the "buckets" into which
information on how to extinguish the fire is placed by the fire master.

In the case of Shibboleth, the fire master is your IdP. The SP needs that
info to put out the fire. However, the buckets themselves are useless.
They just sit there doing nothing. That's where the profiles come in. They
specify how to move the buckets around.

e.g. the Shibboleth SAML1.1 profile says:
"take that bucket marked AuthenticationStatement, scrawl something on it
that I will recognise it came from you, then bung it over there next to
the Respone bucket and ..."

but Shibboleth is also an implementation? yes, it's the reference
implementation of the Shibboleth SAML profile. Guanxi is another
implementation of that Shibboleth profile.

Shibboleth uses openSAML to control the buckets. Guanxi uses SAMUEL.

So there are two levels, the raw SAML "bucket" level. A soup of SAML
tokens. And a higher level, where the profiles live, that stir up that low
level soup.

So I think it's a good idea to keep the profiles separate from the SAML
tokens themselves. That way you can create all sorts of weird and
wonderful profiles, using the same SAML toolkit.

Alistair

-- 
mov eax,1
mov ebx,0
int 80h