[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Shib & SAML presentation
Marlena, I have indeed some comments on this hot subject! Early this year a number of SAML use-cases were defined. One was as I recall similar to the Shib use-case. But in the bindings-05 draft there is [still] no description of a Shib-like use-case. IMO the differences in Artifact formats depend not only on "history", but to a major extent on the rather different flows of information in SAML's PULL scheme versus Shib's contact-destination-first-scenario. E.g. PartnerIDs and associated URL are redundant in a Shib use-case (as they also are, in all SAML use-cases described in the bindings-draft except for PULL). In my recently submitted papers I have (more or less) shown how all these SSO-scenarios could be merged into a unified model. But that would require substantial protocol changes in both SAML and Shib. Therefore, I personally see few chances of convergence with Shib unless some closed issues are reopened. To [in Shib] move around superfluous information like PartnerIDs is of course an option but I doubt that this is the way to go. A thing I am not so excited about in Shib, are the signed handle URLs. That only the signatures but not the certificate(s) are carried in assertions. is at least not an option in the many-to-many B2B-market we are plotting with. It makes connections less "robust" in respect to certificate renewals that IMO do not have to be communicated to partners, at least if you use TTP CAs. Using handles POSTed in forms, the motives for the current scheme (and format) would be less obvious, as the size-constraint would go away. Regarding attribute release, I have some problems understanding the Shib model. Does the destination (using SAML-terminology) indicate what attributes it wants the source to release? At least that seems like the most straight-forward way to do things. cheers Anders Rundgren X-OBI ----- Original Message ----- From: "Marlena Erdos" <marlena@us.ibm.com> To: <security-services@lists.oasis-open.org> Cc: <Steven_Carmody@brown.edu>; <david.wasley@ucop.edu>; <cantor.2@osu.edu>; <hazelton@doit.wisc.edu>; <Ken.Klingenstein@Colorado.edu>; "Mark Simpson" <simpsoma@us.ibm.com> Sent: Tuesday, August 28, 2001 17:33 Subject: Shib & SAML presentation Dear SAML'ers, Here is the presentation I gave on Monday at the F2F. It discusses Shibboleth and compares/contrasts it with SAML, pointing out "connects & disconnects". Comments? Questions? Just let me know. Thanks, Marlena (See attached file: Shibb&SAML.ppt)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC