RE: [security-services] BPP vs BAP for SAML 1.1

["Harding, Patrick" <Patrick.Harding@FMR.COM>]

FWIW, we have taken the alternative approach and are using BAP in all
cases. 

When dealing with our partners/clients the major issue they raise is the
fear of certificate manegement for initiating 2-way SSL and
signing/validating signatures. This is considered a bigger hurdle to
implementation than consuming XML, exposing a SOAP endpoint, or
implementing an identifier mapping service. As we are using Liberty
ID-FF V1.1 we are required to sign the assertion for both profiles so
using BPP does not simplify this issue for us.

The benefit of BAP is that we are able to include additional attribute
statements in the assertion that can contain sensitive data. We do not
have to worry about this information being exposed in the browser. 

The one implementation hurdle we (and any other highly available IdP)
have to overcome for BAP is the artifact rendevous problem. Implementors
must consider how to ensure the artifact that is returned to the IdP in
one physical location can find its way back to the location where it was
orignally created. This is problematic when the IdP has multiple
connections to the Internet.

Cheers
- P  


> -----Original Message-----
> From: Beach, Michael C [mailto:michael.c.beach@BOEING.COM] 
> Sent: Wednesday, March 24, 2004 1:02 PM
> To: Philpott, Robert; jmoreh@sigaba.com; John Hughes; 
> Security-Services
> Subject: RE: [security-services] BPP vs BAP for SAML 1.1
> 
> 
> In our current production environment we use BPP.  The primary driver
> was our customer's reluctance to expose their SAML service to 
> the public
> Internet, and the challenges of providing a path between the 2 SAML
> services (navigating from our SAML service, through their perimeter
> proxies, to their internal SAML service) needed to support BAP.
> 
> This decision may be a bit short-sighted because it provides only one
> way SAML interactions (from them to us).  However, that was the real
> life production decision made by Southwest Airlines.
> 
> Mike
> 
> -----Original Message-----
> From: Philpott, Robert [mailto:rphilpott@rsasecurity.com] 
> Sent: Wednesday, March 24, 2004 5:52 AM
> To: 'jmoreh@sigaba.com'; 'John Hughes'; 'Security-Services'
> Subject: RE: [security-services] BPP vs BAP for SAML 1.1
> 
> 
> > -----Original Message-----
> > From: Jahan Moreh [mailto:jmoreh@sigaba.com]
> > Sent: Tuesday, March 23, 2004 7:01 PM
> > To: John Hughes; Security-Services
> > Subject: RE: [security-services] BPP vs BAP for SAML 1.1
> > 
> > John -
> > I am sure you have already thought about this. But just in 
> case, there
> 
> > are two salient pro/con for BPP vs. BAP:
> > 1. BAP has the advantage of being more compact on the 
> Browser (i.e., 
> > only the artifact passes through the browser), 2. BPP has the 
> > advantage that it is "self-confirming" and does not require a
> > (SOAP) connection from the assertion consumer to an assertion
> producer.
> 
> [Rob] BPP requires the use of XML-DSIG for signing/verifying the
> responses.
> The complexity associated with setting this up can be just as 
> onerous as
> setting up a SOAP channel. The PKI fear factor is still high 
> outside of
> the security community.  While customers seem to now accept 
> and can deal
> with setting up server-side SSL, when you go beyond that to 
> mutual authn
> SSL or
> (yikes) DSIG, the fear factor really starts to rise. The 
> reasons may be
> real or just perceived to be real, but they are there.
> 
> BPP may perform a bit better than BAP given the need for a 
> back-channel
> call.  However, the performance gain is negated a bit by the expensive
> signing/verification/cert validation steps.
> > 
> > I personally think that (2) outweighs (1), but that's 
> another matter.
> [Rob] I personally see little overall advantage of one over the other.
> If the customer doesn't like to deal with PKI/DSIG, we steer them to
> BAP.  If they don't want to have to set up/manage the extra 
> back-channel
> service, then we'll steer them toward BPP.
> > 
> > Thanks,
> > Jahan
> > 
> > ------
> > Jahan Moreh
> > Chief Security Architect
> > 310.288.2141
> > 
> > -----Original Message-----
> > From: John Hughes [mailto:john.hughes@entegrity.com]
> > Sent: Tuesday, March 23, 2004 1:12 AM
> > To: Security-Services
> > Subject: [security-services] BPP vs BAP for SAML 1.1
> > 
> > 
> > Its just crossed my mind that it might be good to have a 
> small section
> 
> > in the SAML 1.1 Technical Overview on the pros/cons using 
> BAP vs BPP (
> 
> > and vice versa).  I can think of some - but welcome other input.
> > 
> > 
> > John
> > 
> > 
> > 
> > 
> > To unsubscribe from this mailing list (and be removed from 
> the roster 
> > of the OASIS TC), go to
> > http://www.oasis-open.org/apps/org/workgroup/security-
> > services/members/leave
> > _workgroup.php.
> > 
> > 
> > 
> > 
> > To unsubscribe from this mailing list (and be removed from 
> the roster 
> > of the OASIS TC), go to http://www.oasis- 
> >
> open.org/apps/org/workgroup/security-services/members/leave_wo
> rkgroup.ph
> p.
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of
> the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/security-services
/members/l
eave_workgroup.php.



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/l
eave_workgroup.php.