[security-services] RE: [saml-dev] Extending SAML to all Generic XMLdocuments

[Hal Lockhart <hlockhar@bea.com>]

Evan,

This proposal appears to have merit and I encourage you to pursue it.
However the saml-dev list is intended for implementers of SAML and is not
the right place to propose changes and additions to the specification.

I have taken the liberty of forwarding this to the main SAML list
(security-services@lists.oasis-open.org) where it can undergo further
discussion and development. It appears that the timing would be right for a
proposal of this type for inclusion in SAML version 2.0.

I suggest at a minimum you join the main SAML mailing list (which is open to
all OASIS members), but it would be best if you could join the SSTC and
participate in our meetings.

Hal

> -----Original Message-----
> From: Montgomery-Recht Evan [mailto:recht_evan@bah.com]
> Sent: Monday, March 17, 2003 10:21 AM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Extending SAML to all Generic XML documents
>
>
> Good day,
>
> We've been working with SAML to assist in the exchange of data between
> two systems, which will grow to other systems in the future for the past
> few months.  We're using SAML in a somewhat non-standard way.  Instead
> of the current SAML question, "tell me something about this user", we're
> asking more of the question "I know something you know, but I need more
> information related to that piece of information."  The major reason
> we're asking this question is that a lot of our data is relational, not
> the standard ldap.
>
> After doing some background research into our data partners' data
> models, we discovered that the current attributeQuery that assumes flat
> translation, meaning all attributes are hierarchical didn't quite cut it
> for us.  We also spent time to look at looking at how relational data
> can be mapped in XML and vice versa to look again at if XML is even the
> right data model for us.  What we found is yes it's the right data
> model, but the current SAML doesn't fully support what we need to make
> our project successful.  We also looked at well why are we using SAML,
> our conclusion was that first we don't want to develop a new standard
> that everyone will have to support, we also found that although we're
> only using 20% of SAML the framework was correct for us.  Therefore we
> asked the question what can we do to extend SAML, to support our
> business model.
>
> This is what we came up with.  Our use case is the following, for each
> of our business partners we have defined a XML namespace and schema that
> defines that data that we wish to exchange.  We realized that we liked a
> lot of the SAML framework, so we decided to look at what would it take
> to be able to use SAML to exchange a generic XML document.  In our
> particular use case, the requestor has some information that can be
> filled into a partially filled out XML document, they then send in a
> "modified SAML" request this document in what's called the
> DocumentDesignator, which has an element DocumentDescription, where this
> instance of the XML document exists.  The server responds with the
> completed XML document to the requestor, who then makes use of the data.
> The key in our data is that it's almost all relational data, not LDAP
> OO-hierarchy based.
>
> I'd like to find out if anyone else has any thoughts on this idea.
> Realize my customers are government based, so we see a good application
> of this in our environment, question is there a commercial usefulness
> for this also (I think there is).  I've included some modified schema
> files that meet our needs.  Basiclly I've defined a structure close to
> the attribute portion of the SAML standard, but with a XML Document
> spin, everything has a prefix of Document.
>
> Obviously everything is up for discussion; our hope is that something to
> this effect could exist in a future iteration of SAML.
>
> Thanks,
>
> evan
>
> Evan Montgomery-Recht, CISSP
> Booz Allen Hamilton
> mail: recht_evan@bah.com
> work: 703.902.5496
> fax: 703.902.3409
> mobile: 571.332.8663
>


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>