OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML2.0 implementations

Guanxi is an open source implementation of the Shibboleth SAML1.1 Profile.
It consists of pure Java implementations of an IdP, SP and WAYF.

The IdP has always been closely involved in authentication and can be
embedded in other applications such as a VLE and can be configured to hook
into the host application's authentication mechanism. It's currently
embedded in the open source Bodington VLE:
It can also be used in standalone mode with an LDAP connector.

The SP is a web service based, distributed, Engine and Guards combination.
One SAML Engine can look after multiple Guards, which are minimal entities
that provide Shibboleth functionality to applications. The SP is J2EE
container agnostic and does not require Apache. It also has minimal SSL
configuration as it has it's own SSL layer for auto-trust between an
Engine and it's Guards. This auto-trust is based on metadata at the
Engine, REST handshaking and certificate probing.

More info is on the Guanxi wiki:

SAMUEL is a partial SAML1.1 Java toolkit and is in the process of being
redesigned from the ground up to support SAML2. No profile support will be
included in SAMUEL. All profile support is contained within a Guanxi

hope this helps,


mov eax,1
mov ebx,0
int 80h

> Cool! :-)  Alistair, can you give more info re Guanxi and/or SAMUEL?
> (Similar to what Eve did for the others.)
> Thanks,
> Tom
> On 12/2/06, Alistair Young <alistair@smo.uhi.ac.uk> wrote:
>> Hi folks,
>> I thought I'd just chip in my small tuppence worth on SAML toolkits.
>> Seems
>> I missed the list switch and all the interesting discussions.
>> The toolkit that comes with Guanxi, SAMUEL (SAML Used in eLearning) is a
>> partial SAML1.1 implementation with a planned complete upgrade to
>> SAML2.0,
>> full coverage, hopefully in the next 6 months.
>> I too had a lot of trouble in the early days, with SAML, profiles and
>> Shibboleth etc. When talking about this to non technical conferences, I
>> like to think of it all as the "bucket brigade". You have an urgent fire
>> to put out. The flames of SSO! SAML provides the "buckets" into which
>> information on how to extinguish the fire is placed by the fire master.
>> In the case of Shibboleth, the fire master is your IdP. The SP needs
>> that
>> info to put out the fire. However, the buckets themselves are useless.
>> They just sit there doing nothing. That's where the profiles come in.
>> They
>> specify how to move the buckets around.
>> e.g. the Shibboleth SAML1.1 profile says:
>> "take that bucket marked AuthenticationStatement, scrawl something on it
>> that I will recognise it came from you, then bung it over there next to
>> the Respone bucket and ..."
>> but Shibboleth is also an implementation? yes, it's the reference
>> implementation of the Shibboleth SAML profile. Guanxi is another
>> implementation of that Shibboleth profile.
>> Shibboleth uses openSAML to control the buckets. Guanxi uses SAMUEL.
>> So there are two levels, the raw SAML "bucket" level. A soup of SAML
>> tokens. And a higher level, where the profiles live, that stir up that
>> low
>> level soup.
>> So I think it's a good idea to keep the profiles separate from the SAML
>> tokens themselves. That way you can create all sorts of weird and
>> wonderful profiles, using the same SAML toolkit.
>> Alistair
>> --
>> mov eax,1
>> mov ebx,0
>> int 80h
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]