[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] SOAP Profile of SAML vs WS-Security: Summary andan Action Plan
SOAP Profile of SAML vs WS-Security ------------------------------------------------- The SOAP profile of SAML (Section 4.2, bindings-09) describes the secure attachment of SAML assertions to SOAP messages. The main idea here is that SAML assertions may be placed within the SOAP envelope and XML-DSIG may be used to ensure the secure attachment of assertions to a specific payload. In October 23, 2001, a family of specifications concerned with SOAP messaging were published on MSDN. Of these, two are of particular interest to the SAML community: WS-Security http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsrvspec/h tml/ws-security.asp <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsrvspec/ html/ws-security.asp> WS-License http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/ html/wslicspecindex.asp <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec /html/wslicspecindex.asp> WS-Security is concerned with several different security topics (e.g., encryption) but two components are relevant to the SAML SOAP Profile. * The Credentials section discusses a mechanism for associating security information, such as Kerberos tickets, with a message. * The Integrity section discusses how to use XML-Signature [XML-Signature] <http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp?fra me=true#ws-security_xml-signature> to ensure that SOAP messages are not tampered with during message transmission. A general construction is given for attaching a "credential" to a SOAP message. Use of an "integrity header" (utilizing XML-DSIG) is described to ensure message integrity. WS-License describes XML elements that can be used to express several different types of credentials: X.509 certificates, Kerberos tickets and arbitrary binary blobs. CONCLUSION: ------------------- The proposals in WS-Security and WS-License are clearly relevant to the SAML SOAP Profile. They do not in any way make the contents of the SOAP profile redundant; on the contrary, by proposing "infrastructure" for the inclusion of generic "credentials" in SOAP messages they highlight the importance of the SAML SOAP Profile in XML messaging. We need to review the current contents of the SOAP profile in light of the WS-Security and WS-License proposals. One possible outcome would be to build the SOAP profile as an instance of WS-Security and expose SAML assertions as a specific instance of the credential notion described in WS-License. However, all of this will take some time and considerable discussion. I would therefore propose the removal of the materials on the SOAP profile from the current bindings draft. These materials, together, with the WS-Security and WS-License proposals, would be used as the basis for a new draft SOAP profile document. The TC would review this information and submit a SOAP profile to OASIS in the near future (Q2/02). NOTE: -------- For reasons unknown to me, the above links do not always correctly lead to the two specifications. An alternative path is to view the table of contents displayed on the LHS frame and directly access the specifications from the TOC.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC