Text for response in SAML FAQ

["Metz Rebekah" <metz_rebekah@bah.com>]

All - 

I offer the following text as a first cut answer to the FAQ
"Is SAML interoperable across Java and .NET platform implementations?"

Rebekah 

The .NET Web Services Enhancements (WSE) 1.0, a .NET add-on for advanced
web service support, supports the consumption of SAML 1.0 assertions.
If a SAML assertion is detected in the header, a .NET component will
process the assertion if it is compliant with the SAML 1.0 spec.
Assertions not compliant with the 1.0 version of the spec are ignored
and not processed by .NET components.  Further, the WSE 1.0 does not
provide an object model or code to generate SAML assertions nor apply
them to the security header.  An implementer must build objects based on
the SAML spec to plug into the security header.  

Specifically regarding message signing, SAML 1.1 allows for assertions
to have an WSU ID (wsu:ID) attribute.  This attributes is what is used
by most Java APIs to sign SOAP messages.  The .NET WSE 1.0 doesn't allow
the wsu:ID attribute.  Instead, it uses the assertion:Id to sign
saml:Assertion elements.  This creates a conflict as Java uses one
identification means and .NET another.  One potential solution requires
that all apis involved add both an assertion:Id and wsu:ID attribute to
the saml:Assertion elements, and give both ids the same value.  Thus,
both Java and .NET can discover the saml:Assertion and the digital
signature has the same value no matter which id attribute is actually
used to sign the message.

As for .NET future directions, the WSE 2.0 is out and (supposedly) has
support for SAML 1.1.  The WSE 3.0 is coming out later this year with
the new .NET 2.0 and will provide even more extensive support for web
services but again, what SAML spec they will officially support is
unknown at this point. Moreover, it remains to be seen if WSE 3.0 will
expand its SAML support to include both 'consume' and 'generate'.
 
These observations are based on implementation experience that in no way
tests the full breadth of the SAML schema.  Therefore, there may be
additional interoperability issues not identified here.

> -----Original Message-----
> From: Eve L. Maler [mailto:Eve.Maler@Sun.COM]
> Sent: Wednesday, March 30, 2005 12:10 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Revised SAML FAQ is up
> 
> Hi folks-- The new SAML FAQ content is now available:
> 
>    http://www.oasis-open.org/committees/security/faq.php
> 
> Please let me know if you see any problems.
> 
> I took a lot of the answer text from a draft of the Executive
> Overview, so hopefully it looks okay.  (Thanks to Paul M. for
> unknowingly writing the new FAQ! :-)  I have saved up a bunch of
> other questions that we don't have written answers for yet, and
> would be interested in getting people signed up to propose answers
> (or better or more questions!).  Most of the items below are
> verbatim from whoever posed them...
> 
> ========
> - Question that highlights the GSA eAuthentication connection and
> interop info
> 
> - Is SAML interoperable across Java and .NET platform implementations?
> 
> - What level of security does SAML provide on its own? (i.e. without
> using PKI, Kerberos etc). In other words does it depend on
> complementary security standards to be implemented, or can SAML be
> implemented stand-alone?
> 
> - Will SAML PDPs need to be configured to understand only selected
> authz decision queries?
> 
> - How does SAML work with SPML (Services Provisioning Markup
Language)?
> 
> - Implementation - how do you maintain persistence ?
> 
> - How do you manage lifetime of SAML assertions ?
> 
> - How do you squeeze more content into SAML when you wish to mix
> (more) authentication with attributes?
> 
> - Why use SAML - is it secure ? ( answer : the threats (list) have
> all been examined, worked through, and it is the only such set of
> constructs in the public domain)
> 
> - Performance - can one use SAML for non-web based applications ?
> And if so how is best?  Will XML/SAML hurt performance of
transactions?
> 
> - Deeper answer to the SAML vs. XACML question on authz decision stuff
> 
> - Maturity and industry acceptance?
> 
> - Can SAML be used to provide SSO for web-enabled legacy
> applications (Citrix/Transfuse to Legacy client/server applications)?
> 
> - IPR situation on SAML
> ========
> 
> 	Eve
> --
> Eve Maler                                      eve.maler @ sun.com
> Sun Microsystems - Business Alliances     x40976 / +1 425 947 4522
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
security-services-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: security-services-help@lists.oasis-
> open.org