[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Mistaken Use of SAML Specification in Article ontheserverside.co m
I don't see how to contact the author of this article:
http://www.theserverside.com/resources/articles/Systinet-web-services-part-6/article.html
Perhaps you could forward this message.
The article describes an invalid use of SAML. In the article, the author shows some XML which provides a password and expects the Authentication Authority to validate the password and issue an Authentication Assertion.
This is an incorrect use of the specification. SAML assumes that a user has previously authenticated by some standard means to the Authentication Authority. The Authentication Request is a request by an Relying Party for information about this previous event.
The Oasis SSTC has recognized that our specification is not clear enough in this area and is attempting to improve it.
We appreciate your interest in SAML and your efforts to educate people on its use.
If you want to see how SAML can be used for single signon in the context of HTTP, I suggest you look at the Browser Profiles describes in the SAML Bindings specification.
A pointer to the current version can be found on this page:
http://www.oasis-open.org/committees/security/index.shtml
If you are interested in the use of SAML in the context of Java, you should be aware of the Java Community Process JSR 155. The goal of this activity is to make the use of SAML from Java easy.
Hal
=======================================================
Harold W. Lockhart Entegrity Solutions
2 Mount Royal Avenue Marlborough, MA 01752 USA
V: 1-508-624-9600 x 260 hal.lockhart@entegrity.com
F: 1-508-229-0338 www.entegrity.com
=======================================================
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC