[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Text for response in SAML FAQ
All - I offer the following text as a first cut answer to the FAQ "Is SAML interoperable across Java and .NET platform implementations?" Rebekah The .NET Web Services Enhancements (WSE) 1.0, a .NET add-on for advanced web service support, supports the consumption of SAML 1.0 assertions. If a SAML assertion is detected in the header, a .NET component will process the assertion if it is compliant with the SAML 1.0 spec. Assertions not compliant with the 1.0 version of the spec are ignored and not processed by .NET components. Further, the WSE 1.0 does not provide an object model or code to generate SAML assertions nor apply them to the security header. An implementer must build objects based on the SAML spec to plug into the security header. Specifically regarding message signing, SAML 1.1 allows for assertions to have an WSU ID (wsu:ID) attribute. This attributes is what is used by most Java APIs to sign SOAP messages. The .NET WSE 1.0 doesn't allow the wsu:ID attribute. Instead, it uses the assertion:Id to sign saml:Assertion elements. This creates a conflict as Java uses one identification means and .NET another. One potential solution requires that all apis involved add both an assertion:Id and wsu:ID attribute to the saml:Assertion elements, and give both ids the same value. Thus, both Java and .NET can discover the saml:Assertion and the digital signature has the same value no matter which id attribute is actually used to sign the message. As for .NET future directions, the WSE 2.0 is out and (supposedly) has support for SAML 1.1. The WSE 3.0 is coming out later this year with the new .NET 2.0 and will provide even more extensive support for web services but again, what SAML spec they will officially support is unknown at this point. Moreover, it remains to be seen if WSE 3.0 will expand its SAML support to include both 'consume' and 'generate'. These observations are based on implementation experience that in no way tests the full breadth of the SAML schema. Therefore, there may be additional interoperability issues not identified here. > -----Original Message----- > From: Eve L. Maler [mailto:Eve.Maler@Sun.COM] > Sent: Wednesday, March 30, 2005 12:10 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] Revised SAML FAQ is up > > Hi folks-- The new SAML FAQ content is now available: > > http://www.oasis-open.org/committees/security/faq.php > > Please let me know if you see any problems. > > I took a lot of the answer text from a draft of the Executive > Overview, so hopefully it looks okay. (Thanks to Paul M. for > unknowingly writing the new FAQ! :-) I have saved up a bunch of > other questions that we don't have written answers for yet, and > would be interested in getting people signed up to propose answers > (or better or more questions!). Most of the items below are > verbatim from whoever posed them... > > ======== > - Question that highlights the GSA eAuthentication connection and > interop info > > - Is SAML interoperable across Java and .NET platform implementations? > > - What level of security does SAML provide on its own? (i.e. without > using PKI, Kerberos etc). In other words does it depend on > complementary security standards to be implemented, or can SAML be > implemented stand-alone? > > - Will SAML PDPs need to be configured to understand only selected > authz decision queries? > > - How does SAML work with SPML (Services Provisioning Markup Language)? > > - Implementation - how do you maintain persistence ? > > - How do you manage lifetime of SAML assertions ? > > - How do you squeeze more content into SAML when you wish to mix > (more) authentication with attributes? > > - Why use SAML - is it secure ? ( answer : the threats (list) have > all been examined, worked through, and it is the only such set of > constructs in the public domain) > > - Performance - can one use SAML for non-web based applications ? > And if so how is best? Will XML/SAML hurt performance of transactions? > > - Deeper answer to the SAML vs. XACML question on authz decision stuff > > - Maturity and industry acceptance? > > - Can SAML be used to provide SSO for web-enabled legacy > applications (Citrix/Transfuse to Legacy client/server applications)? > > - IPR situation on SAML > ======== > > Eve > -- > Eve Maler eve.maler @ sun.com > Sun Microsystems - Business Alliances x40976 / +1 425 947 4522 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: security-services-help@lists.oasis- > open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]