OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Shib & SAML presentation

I have indeed some comments on this hot subject!

Early this year a number of SAML use-cases were defined.
One was as I recall similar to the Shib use-case. But in the bindings-05
draft there is [still] no description of a Shib-like use-case. IMO
the differences in Artifact formats depend not only on "history", but
to a major extent on the rather different flows of information in
SAML's PULL scheme versus Shib's contact-destination-first-scenario.
E.g. PartnerIDs and associated URL are redundant in a Shib use-case
(as they also are, in all SAML use-cases described in the bindings-draft
except for PULL).

In my recently submitted papers I have (more or less) shown how
all these SSO-scenarios could be merged into a unified model.
But that would require substantial protocol changes in both SAML
and Shib. Therefore, I personally see few chances of convergence
with Shib unless some closed issues are reopened. To [in Shib]
move around superfluous information like PartnerIDs is of course
an option but I doubt that this is the way to go.

A thing I am not so excited about in Shib, are the signed handle URLs.
That only the signatures but not the certificate(s) are carried in assertions.
is at least not an option in the many-to-many B2B-market we are
plotting with.  It makes connections less "robust" in respect to
certificate renewals that IMO do not have to be communicated
to partners, at least if you use TTP CAs.  Using handles POSTed
in forms, the motives for the current scheme (and format) would be
less obvious, as the size-constraint would go away.

Regarding attribute release, I have some problems understanding
the Shib model. Does the destination (using SAML-terminology)
indicate what attributes it wants the source to release? At least
that seems like the most straight-forward way to do things.

Anders Rundgren
----- Original Message -----
From: "Marlena Erdos" <marlena@us.ibm.com>
To: <security-services@lists.oasis-open.org>
Cc: <Steven_Carmody@brown.edu>; <david.wasley@ucop.edu>; <cantor.2@osu.edu>; <hazelton@doit.wisc.edu>;
<Ken.Klingenstein@Colorado.edu>; "Mark Simpson" <simpsoma@us.ibm.com>
Sent: Tuesday, August 28, 2001 17:33
Subject: Shib & SAML presentation

Dear SAML'ers,

Here is the presentation I gave on Monday
at the F2F.  It discusses Shibboleth and compares/contrasts
it with SAML, pointing out "connects & disconnects".

Comments? Questions?   Just let me know.


(See attached file: Shibb&SAML.ppt)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC