[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] BPP vs BAP for SAML 1.1
In our current production environment we use BPP. The primary driver was our customer's reluctance to expose their SAML service to the public Internet, and the challenges of providing a path between the 2 SAML services (navigating from our SAML service, through their perimeter proxies, to their internal SAML service) needed to support BAP. This decision may be a bit short-sighted because it provides only one way SAML interactions (from them to us). However, that was the real life production decision made by Southwest Airlines. Mike -----Original Message----- From: Philpott, Robert [mailto:rphilpott@rsasecurity.com] Sent: Wednesday, March 24, 2004 5:52 AM To: 'jmoreh@sigaba.com'; 'John Hughes'; 'Security-Services' Subject: RE: [security-services] BPP vs BAP for SAML 1.1 > -----Original Message----- > From: Jahan Moreh [mailto:jmoreh@sigaba.com] > Sent: Tuesday, March 23, 2004 7:01 PM > To: John Hughes; Security-Services > Subject: RE: [security-services] BPP vs BAP for SAML 1.1 > > John - > I am sure you have already thought about this. But just in case, there > are two salient pro/con for BPP vs. BAP: > 1. BAP has the advantage of being more compact on the Browser (i.e., > only the artifact passes through the browser), 2. BPP has the > advantage that it is "self-confirming" and does not require a > (SOAP) connection from the assertion consumer to an assertion producer. [Rob] BPP requires the use of XML-DSIG for signing/verifying the responses. The complexity associated with setting this up can be just as onerous as setting up a SOAP channel. The PKI fear factor is still high outside of the security community. While customers seem to now accept and can deal with setting up server-side SSL, when you go beyond that to mutual authn SSL or (yikes) DSIG, the fear factor really starts to rise. The reasons may be real or just perceived to be real, but they are there. BPP may perform a bit better than BAP given the need for a back-channel call. However, the performance gain is negated a bit by the expensive signing/verification/cert validation steps. > > I personally think that (2) outweighs (1), but that's another matter. [Rob] I personally see little overall advantage of one over the other. If the customer doesn't like to deal with PKI/DSIG, we steer them to BAP. If they don't want to have to set up/manage the extra back-channel service, then we'll steer them toward BPP. > > Thanks, > Jahan > > ------ > Jahan Moreh > Chief Security Architect > 310.288.2141 > > -----Original Message----- > From: John Hughes [mailto:john.hughes@entegrity.com] > Sent: Tuesday, March 23, 2004 1:12 AM > To: Security-Services > Subject: [security-services] BPP vs BAP for SAML 1.1 > > > Its just crossed my mind that it might be good to have a small section > in the SAML 1.1 Technical Overview on the pros/cons using BAP vs BPP ( > and vice versa). I can think of some - but welcome other input. > > > John > > > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security- > services/members/leave > _workgroup.php. > > > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to http://www.oasis- > open.org/apps/org/workgroup/security-services/members/leave_workgroup.ph p. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/l eave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]