OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for focus group con-call, Dec 16


Paula Austel
Scott Cantor
Peter Davis
Frederick Hirsch
Jeff Hodges (partial)
Maryann Hondo (partial)
John Hughes
John Kemp
John Linn
Eve Maler (note-taker)
Prateek Mishra (chair)
Tony Nadalin
Jahan Moreh
Mike White

			*		*		*

W-2, Scott driving the discussion:

This is the Name Identifier draft, draft-sstc-nameid-06.  This is
the basic proposal for identity federation.

The first thing to address is outstanding issues.  Scott and Tony
exchanged email a couple of days ago; Scott came to understand
Tony's F2F comments, which led to Scott changing terminology from
"one-time" to "transient".  The text in the draft doesn't apply a
strict one-time semantic, and Tony was arguing against such a
semantic, so there doesn't seem to be an issue there.

The proposal has been out there for a while.  It mostly only
changed in response to Eve's comments on the structure.  She had
suggested moving some of the common attributes on the base type
to the new derived type.  By moving things like the Format
attribute in this way, it eliminates the need for complex
processing rules for Format when it's irrelevantly used.  This
simplifies things.

The only known outstanding issue from the list or other
discussions has to do with whether we want to continue using the
Format attribute as a catchall classification value that has
overloaded semantics (syntax + meaning) or whether we want to
rename, break out the functions, etc.

Terminology discussion:

Has a question about what might be the relationship between W-2
and W-2a (the SSO-based attribute work item), and how to think
about the two.

One obvious real-world use case would be Shibboleth, where they
dealt with the existing SAML spec by creating Liberty also
independently created, a "handle" or "temporary identity
federation" or "one-time identifier" or whatever.  If all you're
doing is exchanging attributes, if you do it in-band, the real
problem is the need to have a subject of an attribute statement.

Because Shibboleth needed a call-back mechanism out of band, they
needed more. (lost the thread a bit after this, regarding one-
time identifiers that aren't used much therefore)

In Section 2 of the solution proposal, where definitions are
given setting up the general notions of accounts, federation,
etc., he's struggling with federation in its narrower vs. its
broader sense.

Fundamentally, federation is always about account linking, but
how is it accomplished -- a special identifier, or a proxy
identity driven off a few attributes?

Real-world practice is that you don't strictly need an account.
In the attribute-based model, account linkage can be avoided.
The interactions with the SP don't take place on a 1-to-1 basis
with the principal but rather through classifying the principal
through attributes.  But Prateek is right that you *can* have an

Are these term definitions intended to be integrated with the
overall glossary?


We could break the bilateral assumption that account linkage and
identity federation are equivalent.  We could provide a unique
definition for account linkage that includes but doesn't depend
on identity federation ("one can accomplish AL through IF or
through other means, such as exchange of attributes" or similar).

Agrees with this idea.

So account linkage becomes the umbrella term.  But can both IF be
accomplished without AL?

As an example, his university has contracts with various SPs, but
Scott personally doesn't.  There's an agreement to provide
service based on attributes.

A lot of people have been using account linking instead of
identity federation, because the latter has become so overloaded.

The notion of identity federation could be particularized as
attribute-based SSO in one case.

We need to stress the "identity" part rather than the
"federation" part in that circumstance, but he agrees.

Though this proposal doesn't need to address attribute-based
account linking/identity federation, we may want to add glossary
terms for that.

ACTION: Decouple the definitions of account linking and identity

ACTION: Propose terms to address the attribute-based case that
are consonant with Scott's terms.


Back to the technical aspects of the proposal:

The technical proposal hasn't changed much.  The first basic
proposal is in the vein of Irving's proposals to genericize the
key elements in our spec.  Allowing for complex content models
(perhaps counterintuitively) doesn't make the spec more complex;
it merely allows people to do the things they want/need to do.
Because there's an abstract type, customizers would still need to
define their own type in order to extend the base.

BaseNameIdentifierType re-bases the old simple NameIdentifier on
top of this new complex one.  Only the attributes that
potentially apply across multiple kinds of NameIdentifiers are in
the base type: NameQualifier (just as before), SPNameQualifier
(new, in order to allow identity federation through a triple --
two providers are involved), NotBefore (new), and NotOnOrAfter
(new).  If you have an encrypted name identifier, you may still
want to communicate the public-information name qualifiers
outside of the encrypted block.  The validity-period attributes
are useful particularly for encrypted name identifiers.

(missed question about use case)

(missed one use case)

Another use case is to indicate how long the relying party can
rely on the value.  It doesn't relate to the validity of the
assertion, but to the "handle".  This can get weird if the
validity period falls within the validity period of the
assertion, and he can't think of a good reason.  We may want to
have processing rules around it, but it doesn't seem to introduce

The old SAML V1.x structure is now relegated to a concrete
restriction of that base type back down to a string, and it
introduces attributes specific to string-based identifiers,
including Format (like it was before) and SPProvidedIdentifier
(new, motivated by the identity federation use case).

The two new SP* attributes are done in reverse fashion from how
they're done in the contributed Liberty material; the latter has
attributes for IdPs not SPs, but if given the chance they
apparently would do it over in the fashion Scott has proposed.

SPNameQualifier attribute?

It helps to unambiguously identity the other provider in the
account relationship.  It might be on the basis of either
identity or attributes.  In the later text of the proposal, these
two attributes' values could be determined from context.  They're
optional, even in the context of account linking.  In the common
case, the account provider is probably issuing the name during

Finally, the case of an encrypted name identifier is derived from
the base name identifier type, using XML Encryption elements.
(This is why we needed the ability to have a non-string-based
name identifier in the first place.) That spec already covers a
lot of encryption infrastructure, so we ourselves don't have to
say anything about a nonce etc.

The presence of NameQualifier attributes on both sides and the
schema-validity of the encryption piece are what allow for
determining what providers can decrypt the name identifier.

The name of the Format attribute is theoretically problematic,
but not a problem in practice.  Other potential names might be
Interpretation, Scheme, or Schema, but she prefers Format, partly
because it's gratuitously backwards-incompatible to change it.

Agrees.  But is it worthwhile to break out the syntax vs. the

Nah.  Since we just provide a URI so far, and it's modularly
kicked out to a foreign system, why break it down further?

The three new proposed formats:

- Provider identifier: Allows you to issue assertions about
- The other two are the already-discussed use cases.

Does the focus group have consensus that the proposal (barring
AIs noted above) should be moved forward at the TC level?  Does
anyone want to record any technical issues for the record?

(Silence indicating consent :-)

Rebekah's proposal for adding structure to Issuer should ideally
use this proposal for NameIdentifier.

			*		*		*

W-3, Jahan driving the discussion:

Let's settle one thing quickly.  At the last F2F, we discussed
discovery protocols.  Did the TC agree to move ahead with the URL
method and not do anything with dynamic discovery?


Someone may come along with another protocol binding in addition
to HTTP GET, but otherwise, yes.

How do we get the use cases that were provided, and reconcile
them against the current proposal, which addresses web browser
profiles specifically and is very Liberty-specific?

It's correct to identify a set of roles that a provider is
willing to play.  We (SAML) have a wider set of roles beyond just
SP and IdP.

These come from the SAML domain model, right?

Yes.  We need to account for these.

There's a bunch of protocols coming out of ID-FF, and we have the
original SAML request/response protocol, and we need the union of
these two.

Yes.  For example, a provider acting as an attribute authority is
not covered in Liberty, but we need to cover this.

What happened to the credentials collector piece in the domain

This is an additional work item.

Indeed this would mean that our domain model is also expanding
through our additional V2.0 work, so we need to union all of
this, not just the existing SAML domain model.

Perhaps we can settle on what part of the domain model is going
to be brought in to the metadata work.

She would like to work further on this, and will contact Jahan
(needs to drop off the call now).

What are the potential roles?

- Liberty -> IdP and SP (roughly SAML source site and
   destination site).  Do we also need specific client
   roles, e.g. LECP and other?
- SAML -> additionally has attribute authority, and
   "attribute consumer" in the SP role.
- SAML -> authentication authority and (if we still end up
   having it) PDP ("authorization decision authority").

Each role may support certain profiles, and in each case some
metadata may or may not apply.

The roles should be cleanly abstracted out, and the name "SAML"
shouldn't be in there.  IdP is effectively a SAML authentication
authority.  An attribute provider is effectively a SAML attribute
authority.  And so on.

The IdP may expose a SAML request/response protocol interface in
this role.  An attribute provider may do the same.

There's just SP, IdP, and AP (attribute provider)?  It seems so.

LECP also seems like a role.

A proxy certainly might have metadata.

John Hughes:
He can see a Kerberos agent having metadata.

A Kerberos profile would then have certain system entities with

Think of it in terms of profiles, and then a system entity can
don a role to which a particular set of metadata would usefully

The ID-FF V1.2 work rationalized the metadata nicely for this way
of thinking.  But it's sort of the other way around from Jeff's
mental abstraction.


So the ID-FF contributions were specific to browser profiles, but
are well prepared to have additional kinds of profiles/metadata
added eventually?  It seems so.

ACTION: Review the final ID-FF V1.2 metdata specs to

Is it okay for us to ship a V2.0 that provides profiles that we
don't simultaneously provide good metadata for?  After all, it
took us some time to collect the right experience with interop
for SAML V1.X.

We'd rather not -- it's best for interoperability!

Works for me!

Lots of people are already working and playing with the relevant
specs, so we should be able to collect this information in good

Remember that we already have our own SAML metadata drafts, so
looking at ID-FF is good but isn't the whole story.

ACTION: Update the metadata draft if necessary according to the
latest ID-FF V1.2 materials.  (Scott will also review for this

The ID-WSF stuff, which is not contributed but is certainly
publicly available, defines additional roles on the consumer
side; we can perhaps leverage this terminology down the road.

To summarize, it sounds like we need to further explore defining
consumer-side roles in the metadata and haven't come to definite
conclusions yet.

ACTION: Post to the list a summary of the need to define metadata
for more roles, and introduce the notion of an attribute provider
(AP) role.

			*		*		*

Next meeting: December 23.  THIS IS A FOCUS GROUP CALL, NOT A TC

Mishra, Prateek wrote:

> Relevant drafts for focus group con-call:
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/4036/draf
> t-sstc-nameid-06.pdf
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/3695/sstc
> -saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf
> Additional comments from scope draft 11:
> W-2:
> Base use case: support as described
> in liberty-architecture-overviewv1.1.
> pdf (3895) Sections 3.2.1 and
> 5.4
> Extension use case: includes use of
> "one-time" identifier as discussed in
> mail message 200310/doc00002.doc
> Need to reconcile these use cases.
> Solution proposal: draft-sstc-nameid
> (4036); also see liberty-architectureprotocols-
> schema-v1.1.pdf (3896)
> Sections 3.2, 3.3, and 3.4, along with
> the Shibboleth architecture at
> http://shibboleth.internet2.edu/docs/dr
> aft-internet2-shibboleth-arch-v05.pdf
> Original issues: see sstc-saml-1.1-
> issues-draft-02 (3690) DS-1-02
> W-3:
> Use case proposals: sstc-cantor-w3-
> metadata (4122) and
> 200311/msg00018.html
> Solution proposals: sstc-samlmetadata-
> 2.0-draft (3519) and sstcsaml-
> MetadataDiscoveryProtocols-
> 2.0-draft (3696); also see libertyarchitecture-
> protocols-schemav1.1.
> pdf (3896) Section 4, along with
> the Shibboleth architecture at
> http://shibboleth.internet2.edu/docs/dr
> aft-internet2-shibboleth-arch-v05.pdf
> Original issues: see sstc-saml-1.1-
> issues-draft-02 (3690) DS-7-06, MS-
> 5-08
> -----Original Message-----
> From: Mishra, Prateek 
> Sent: Tuesday, December 16, 2003 10:21 AM
> To: Mishra, Prateek; OASIS Security Services TC
> Subject: RE: [security-services] proposed agenda for focus group con-call,
> Dec 16
> REMINDER: We have a focus group meeting at 12 noon today. We will work
> through the items listed below.
> -----Original Message-----
> From: Mishra, Prateek [mailto:pmishra@netegrity.com] 
> Sent: Tuesday, December 09, 2003 1:42 PM
> To: OASIS Security Services TC
> Subject: [security-services] proposed agenda for focus group con-call, Dec
> 16
> Work through solution proposals for
> W-2: Identity Federation
> W-3: Meta-data and Exchange Protocol 
> Relevant documents and links may be found in the work items and scope
> document (version 11).

Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]