Re: [security-services] Getting more work done on the FAQ

["Eve L. Maler" <Eve.Maler@Sun.COM>]

Of course, moments after I sent this, I saw something from a customer 
that suggests this addition!

Q: Is SAML V1.1 backward compatible with SAML V1.0?

	Eve

Eve L. Maler wrote:

> I took an AI on today's call to collect and send out FAQs.  I'd like to 
> get the following from all of you (please send me mail directly, unless 
> you think the TC would benefit from seeing your response):
> 
> - Comments on the existing FAQ answers
> - Comments on which new questions are most important to address soon
> - Suggestions for additional questions
> - Signups to draft some answers (for either new questions, or improved
>   answers to existing questions)
> 
> The existing FAQ is here:
> 
>   http://www.oasis-open.org/committees/security/faq.php
> 
> It covers the following questions:
> 
> 1. General
>     Q: What is SAML?
>     Q: What is the need for this specification?
>     Q: What has the SAML TC produced to date and what is the roadmap ?
>     Q: Who should be involved in this effort ?
>     Q: Who will benefit from this work and how?
>     Q: How does this work compare with related efforts at other standard 
> organizations?
> 2. Technical
>     Q: What is the connection between acts of authentication and SAML 
> authentication assertions?
>     Q: How does SAML protect against "man-in-the-middle" and "replay" 
> security attacks in general?
>     Q: How is trust established between a client and a SAML authority?
>     Q: Will SAML PDPs need to be configured to understand only selected 
> authorization decision queries?
>     Q: I don't currently use SOAP. Do I need to invent my own protocol 
> for requesting and getting SAML assertions?
> 
> Following are additional questions for which written answers don't 
> exist.  Some of these overlap; I'm just documenting them all in one 
> place for the first time, and it's interesting to see which come up 
> multiple times:
> 
> Collected in late 2001/early 2002, mostly contributed by Edwin DeSouza 
> (in this case, I did remove the ones we covered above):
> 
> 1. General
>     Q: Where is SAML being standardized?
>     Q: Who is participating in SAML?
>     Q: What will be the benefit of having all the major security vendors 
> implement SAML?
> 2. Features and Benefits
>     Q: Does SAML provide facilities for authentication?
>     Q: Does SAML provide facilities for authorization and access control?
>     Q: Does SAML provide facilities for distributed session management?
>     Q: Can SAML be used to provide SSO for web services?
>     Q: Can SAML be used to provide SSO for web applications (pure HTML 
> clients)?
>     Q: Can SAML be used to provide SSO for web-enabled legacy 
> applications (Citrix/Transfuse to Legacy client/server applications)?
>     Q: Can SAML be used to provide SSO across a set of applications 
> within an enterprise (intranet)?
>     Q: Can SAML be used to provide SSO across a set of applications 
> across a set of enterprises (extranet) and across firewalls?
>     Q: Can SAML provide SSO across various OS, directory, database, 
> firewalls, etc. combinations?
> 3. SAML and Other Technologies
>     3.1. Relationship to Other Standards
>         Q: How does SAML work with XML? Is XML required?
>         Q: How does SAML work with HTTP and HTTPS? Is HTTPS or HTTP 
> required?
>         Q: How does SAML work with SOAP? Is SOAP required?
>         Q: How does SAML work with SSL and TLS?
>         Q: How does SAML work with PKI?
>         Q: How does SAML work with other authentication devices?
>         Q: How does SAML work with LDAP?
>         Q: How does SAML work with XKMS (Key Management Specification)?
>         Q: How does SAML work with XACML (Access Control Markup Language)?
>         Q: How does SAML work with PSML (Provisioning Services Markup 
> Language)?
>         Q: How does SAML work with DSML (Directory Services Markup 
> Language)?
>         Q: How does SAML work with Kerberos?
>         Q: How does SAML work with XML Signature?
>         Q: How does SAML work with XML Encryption?
>     3.2. Relationship to Other Single Sign-On Frameworks
>         Q: How does SAML work with Microsoft Passport?
>         Q: How does SAML work with Project Liberty?
> 4. Technical
>     Q: How can I trust/verify a SAML transaction?
>     Q: Is there a mechanism for telling a remote party that someone's 
> authentication has now expired?
>     Q: Can SAML appear in both the header and the body of a SOAP message?
>     Q: Will SAML PDPs need to be configured to understand only selected 
> authentication decision queries?
> 
> Suggested/asked by various people over the past few months:
> 
> Q: What is federated identity?
> Q: How are SAML and Liberty related wrt federated identity?
> Q: Can I share attribute information with SAML? Can I share 
> authorization information with SAML?  (In order to highlight the 
> "non-authentication" parts of SAML)
> Q: Will the use of XML/SAML hurt the performance of transactions?
> Q: Can I use XrML or XACML or both with SAML?
> Q: What are the differences between SAML and Liberty?
> Q: What is the relation between SAML, XACML, XRML, and SPML?  (This was 
> from a public comment.  Further questions here: "It seems that for 
> example for an access control system there is no clear-cut for which 
> standard is applicable (assuming of course that standards are of 
> interest).  In case all four apply, what are the areas of conflict 
> between the four or any couple?  How about maturity and industry 
> acceptance?  Obviously SAML is in good condition in this respect.  How 
> about the others?")
> Q: How do I use SAML on Citrix architectures?
> Q: How do you maintain persistence of SAML assertions?
> Q: How do you manage lifetime of SAML assertions?
> Q: How do you squeeze more content into SAML when you wish to mix (more) 
> authentication with attributes?
> Q: Why use SAML - is it secure ? (further comment from this person: 
> "answer: the threats (list) have all been examined, worked through, and 
> it is the only such set of constructs in the public domain")
> Q: Performance - can one use SAML for non-web based applications ? And 
> if so how is best?
> Q: What is the position today of SAML with respect to Liberty?
> 
> Thanks for your input,
> 
>     Eve

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com