OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] First draft of SAML FAQ: needs review/contentbig-time!

This draft has all of the questions contributed by Edwin (and more), and 
*some* of the answers contributed by Hal; I didn't have time to incorporate 
all of them in a "pretty" fashion.  I'll try to work on incorporating more 
answers while I'm on the road in the next couple of weeks, but would like 
to get a public draft of the FAQ out soon (perhaps just removing the 
questions that don't have answers yet? what do people think?).




14 January 2002 draft

This FAQ helps to answer frequently asked questions about SAML, the Security Assertion Markup Language. If you have a question that is not answered here, or if you have questions or comments on any of the answers provided, let us know.

Note to Reviewers

The questions were mostly contributed by Edwin DeSouza, and the answers were mostly contributed by Hal Lockhart, with editorial++ reworking by Eve Maler. This draft has never been reviewed before. Please send comments ASAP to Eve and/or the whole security-services list.

Known holes in the content below (besides missing answers):

  • Need to link to the SAML white paper from here.

  • Need to put the "binding and profile solicitation" page in place and link to it from here.

The format is pretty bad so far; I'm working on revising the stylesheet that produced it.

1. General
Q: What is SAML?
Q: Where is SAML being standardized?
Q: When will SAML be done?
Q: Who is participating in SAML?
Q: What are the major goals of SAML 1.0?
Q: What are the major issues that were postponed to future versions of SAML?
Q: What will be the benefit of having all the major security vendors implement SAML?
2. Features and Benefits
Q: Does SAML provide facilities for authentication?
Q: Does SAML provide facilities for authorization and access control?
Q: Does SAML provide facilities for distributed session management?
Q: Can SAML be used to provide SSO for web services?
Q: Can SAML be used to provide SSO for web applications (pure HTML clients)?
Q: Can SAML be used to provide SSO for web-enabled legacy applications (Citrix/Transfuse to Legacy client/server applications)?
Q: Can SAML be used to provide SSO across a set of applications within an enterprise (intranet)?
Q: Can SAML be used to provide SSO across a set of applications across a set of enterprises (extranet) and across firewalls?
Q: Can SAML provide SSO across various OS, directory, database, firewalls, etc. combinations?
3. SAML and Other Technologies
3.1. Relationship to Other Standards
Q: How does SAML work with XML? Is XML required?
Q: How does SAML work with HTTP and HTTPS? Is HTTPS or HTTP required?
Q: How does SAML work with SOAP? Is SOAP required?
Q: How does SAML work with SSL and TLS?
Q: How does SAML work with PKI?
Q: How does SAML work with other authentication devices?
Q: How does SAML work with LDAP?
Q: How does SAML work with XKMS (Key Management Specification)?
Q: How does SAML work with XACML (Access Control Markup Language)?
Q: How does SAML work with PSML (Provisioning Services Markup Language)?
Q: How does SAML work with DSML (Directory Services Markup Language)?
Q: How does SAML work with Kerberos?
Q: How does SAML work with XML Signature?
Q: How does SAML work with XML Encryption?
3.2. Relationship to Other Single Sign-On Frameworks
Q: How does SAML work with Microsoft Passport?
Q: How does SAML work with Project Liberty?
4. Technical
Q: How can I trust/verify a SAML transaction?
Q: What is the connection between acts of authentication and SAML authentication assertions?
Q: How does SAML protect against "man-in-the-middle" and "replay" security attacks in general?
Q: Is there a mechanism for telling a remote party that someone's authentication has now expired?
Q: How is trust established between a client and a SAML authority?
Q: Can SAML appear in both the header and the body of a SOAP message?
Q: Will SAML PDPs need to be configured to understand only selected authentication decision queries?
Q: I don't currently use SOAP. Do I need to invent my own protocol for requesting and getting SAML assertions?

1. General

A: SAML is the Security Assertion Markup Language, a standard XML-based framework for the exchange of authentication and authorization information. The SAML standard is defined in a five-document SAML 1.0 Specification Set and two accompanying schema documents; these are currently at the Committee Working Draft stage.

A: SAML is being developed under the auspices of OASIS, the Organization for the Advancement of Structured Information Standards. OASIS has long been a home for development of XML languages and protocols. OASIS hosts several other efforts to standardize security-related information, such as XACML. Many members of the SAML Technical Committee also take part in related standards work in other venues, such as UDDI, W3C, IETF, and the committee has liaison relationships with many of these efforts.

A: SAML 1.0 is at the Committee Working Draft stage and the SAML Technial Committee is actively soliciting feedback. The SAML Technical Committee expects to proceed to a "Last Call" for comments with a revised set of Candidate Committee Specifications on 1 February 2002, and to publish a set of Committee Specifications (a Proposed OASIS Standard) on 1 March 2002.The goal is to achieve a positive result from a vote of OASIS members during the following three months and be published as an OASIS Standard. The OASIS process is described here.

A: The current TC members are listed here. A substantial majority of the voting members of the TC are affiliated with companies that currently sell access management and PKI products and services.

A: The major functional goals of SAML 1.0 are as follows:

  • Enabling single sign-on for web users

  • Exchanging authentication and authorization information in a variety of kinds of distributed transaction

The SAML design reflects the following priorities (in no particular order):

  • Provide basic capabilties to allow current access management products to interoperate

  • Provide sufficient functionality to maximize the chances of widespread adoption without requiring substantial proprietary extensions in most cases

  • Produce a specification at an early enough date that organizations will not look for alternative solutions

  • Provide basic support for emerging applications, such as SOAP-enabled e-commerce

  • Identify clear mechanisms for extension, both for closed environments and for future versions of SAML

See the SAML Use Cases and Requirements Document and the SAML white paper for more detailed information.

A: Some large features that were explicitly deferred were:

  • Proxy login (pass-thru authentication)

  • Dynamic session management

  • Interoperability with .Net

  • Service location and negotiation

Some performance optimizations and small features have also been deferred. Profiles have been defined for two environments so far, web browsing and SOAP, but additional profile contributions are being solicited.

A: Interoperability. Standardizing the interfaces between systems allows for faster, cheapter, and more reliable integration. SAML 1.0 gets part of the way towards this goal, and future addition of features will continue the trend. Also, the future addition of bindings and profiles will open up these benefits to more and different kinds of access management.

4. Technical

A: Any entity that can authenticate another entity (verify its identity) can potentially act as an authentication authority and issue a SAML authentication assertion. It is up to relying parties, for example a PDP, to decide what authentication authorities it chooses to trust.

The means of ensuring that the entity making a request and the entity referred to by an assertion are one and the same is dependent on the environment and protocols being used. The general mechanism provided is the SubjectConfirmation element, which is intended to carry data appropriate to the environment. Possible mechanisms include an artifact encoded in a URL, a Kerberos service ticket, or a public key associated with signature on a document. SAML profiles will specify the details for different situations.

It is expected that others besides the SAML Technical Committee will define other schemes appropriate for other enviroments. They might or might not publish these as profiles, but doing so ensures greater interoperability.

A: SAML doesn't really do anything "in general". Profiles are expected to prevent or minimize MITM attacks as much as possible given the limitations of the environment in question. The Security and Privacy Considerations document discusses what should be considered.

A: SAML is a very general framework which will be used in a wide variety of environments. It is up to relying parties to decide what asserting parties they trust for what purposes. For example, Company A might trust Company B to tell it if an individual was a Company B employee, but not to tell if the employee has a Secret Clearance. Trust relationships must be established out of band. (Also, a certain amount of configuration information, for example network addresses, will have to be exchanged out of band.)

A: Any PDP will have a policies covering a finite number of resources. If it is asked about a resource for which it has no policies, it will produce an Indeterminate response. It is up to the PEP to locate a PDP that knows about the resources it protects. SAML does not provide any automated way of doing this.

A: You are allowed to use SAML requests and responses over any protocol you like. Whether you will be able to interoperate with anybody else is another question. The SOAP-over-HTTP protocol is intended to be very simple to implement and should represent less work than implementing SAML requests and interpreting SAML responses.

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC