OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Mistaken Use of SAML Specification in Article ontheserverside.co m

Title: Mistaken Use of SAML Specification in Article on theserverside.com

I don't see how to contact the author of this article:


Perhaps you could forward this message.

The article describes an invalid use of SAML. In the article, the author shows some XML which provides a password and expects the Authentication Authority to validate the password and issue an Authentication Assertion.

This is an incorrect use of the specification. SAML assumes that a user has previously authenticated by some standard means to the Authentication Authority. The Authentication Request is a request by an Relying Party for information about this previous event.

The Oasis SSTC has recognized that our specification is not clear enough in this area and is attempting to improve it.

We appreciate your interest in SAML and your efforts to educate people on its use.

If you want to see how SAML can be used for single signon in the context of HTTP, I suggest you look at the Browser Profiles describes in the SAML Bindings specification.

A pointer to the current version can be found on this page:


If you are interested in the use of SAML in the context of Java, you should be aware of the Java Community Process JSR 155. The goal of this activity is to make the use of SAML from Java easy.


Harold W. Lockhart            Entegrity Solutions
2 Mount Royal Avenue          Marlborough, MA 01752 USA
V: 1-508-624-9600 x 260       hal.lockhart@entegrity.com
F: 1-508-229-0338             www.entegrity.com


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC