OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services]

Eve Maler pointed me to this message on the conformance

I am sending my responses to the general list as it seems
to me the message raises questions beyond those
of conformance.
>>By mandating one baseline binding, are we implying that all users of SAML
will have to support it in
>>addition to any other bindings they care about, or is it only a matter of
picking a single binding to work 
>> on in the V1.0 timeframe?  What will be the timeframe/mechanism for
documenting other bindings, even if 
>> they're not "blessed" by the TC yet?  Our original plan  was to
eventually offer multiple bindings; using 
>> SAML across domains should be a matter of picking a common (and
standardized) binding. Conformance 
>> in this area should be a "set of binding protocols" to choose from and
let the parties in SAML transactions
 >>negotiate the binding by picking one from the "set of binding protocols".
This should be something similar 
>> to the cipher negotiations that happen in SSL connections, for example. 
The current situation is that the TC has agreed to use SAML over SOAP/HTTP
as a mandatory-to-implement
binding. This means that every vendor should provide such a binding as part
of their SAML implementation and in this way inter-operability between
different vendors is guaranteed. Notice that this is NOT
mandatory-to-deploy --- if you dont want to use it, you can simply ignore
Further, vendors are free
to implement other bindings (SAML over HTTP, SAML over TCP/IP, SAML over
RMI). We are in
the process of creating some infra-structure at the SSTC so that vendors (or
even better a group of vendors) can publish a specification describing a
profile or binding
at the SSTC.  This type of "informational" or "Experimental" draft would not
have the status
of a standard but would be based on standards. As an open published document
it would
have a somewhat different status from a purely proprietary document. 
>>The market is gung-ho about SOAP and web services but do NOT want to
deploy them right away 
>>because they perceive SOAP as a "discontinuous change" or a "disruptive
technology" despite the base 
>>HTTP layer over which most SOAP implementations are implemented. So if
HTTP binding is not one of the 
>>"set of binding protocols", then SAML will hurting its chances of quickly
and widely being adopted by the 
>>market, and will be left out of tons of markets. Customers are concerned
about deploying SOAP because 
>>of immaturity of its firewall technology and SOAP, inadequate skilled
system administrators to configure 
>>and manage SOAP traffic, relatively new support in the leading application
servers, SOAP standardization 
>>and evolution, etc. 
I am a little puzzled by this. Whether using SAML over SOAP/HTTP or plain
HTTP, admins have to
open a single HTTP port. Is there really a sharp distinction between the
Our use of SOAP is extremely modest: all we are doing is wrapping
SAML in a SOAP body and taking advantage of standard SOAP error codes and
header structure.

It can be implemented by the doPOST method servlet in any servlet container;
the servlet
would use an XML parser to extract the SAML body from the SOAP message and
forward it to
the SAML processor. If it unable to extract the SAML body then some SOAP
error is
returned. Maybe this isn't the "correct" way of implementing SAML over
but it certainly gets the job done. 
I will make some more enquiries locally (Simon, can you also check with your
people?) about this
issue. In any case, if there is a concern that we really, really need a
separate HTTP binding 
we can pick up the materials from binding-05 and publish it as a separate
draft. Of course,
some volunteers are needed to take this forward (hint, hint...)
>>SAML in non-web scenarios is also severely hampered because of lack of
bindings such as Socket 
>>bindings, for example. For example, what about using SAML in Netware/Lotus
Notes SSO? How to bridge 
>>the existing non-web applications with web apps and SAML? 
As above. The group of interested vendors should publish a draft of an
appropriate binding
such as, for example, SAML over TCP/IP.
>>If we had to pick the next few bindings that should be worked on, they
should be HTTP and sockets.  If the 
>>HTTP binding is nearly there, we should publish it as a draft anyway, so
people can get started with 
>>it. This will get the industry on SAML lot quicker, easier and sooner. A
socket binding would be even 
>>simpler, since it doesn't have to worry about SAML information that would
go into a header.
Agreed, if there is interest in bindings other than SAML over SOAP/HTTP, we
should definitely
publish drafts describing these bindings.
- prateek

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC