OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SAML Single Sign-On (SSO) Service for Google Apps

Over the weekend on the saml-dev list Scott noted a number of things
that are not to spec in their static demo - missing audience condition,
missing subject confirmation data, missing destination attribute, and
the misuse of the ProtocolBinding attribute.  I downloaded their open
source code examples to take a closer took at them and it has all the
same issues.  And I noticed a few more while I was looking - the
AuthnRequest is missing the required Issuer element, Issuer is missing
in the Response (required if signed) and it looks like they are using
the wrong type of compression for redirect.  

What are people's thoughts about what, if anything, should be done by
the TC to 'police' implementations of the specification?

> -----Original Message-----
> From: Prateek Mishra [mailto:prateek.mishra@oracle.com]
> Sent: Monday, February 26, 2007 8:26 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] SAML Single Sign-On (SSO) Service for
> Apps
> Google Apps offers a SAML-based Single Sign-On (SSO) service that
> provides partner companies with full control over the authorization
> authentication of hosted user accounts that can access web-based
> applications like Gmail or Google Calendar. Using the SAML model,
> acts as the *service provider* and provides services such as Gmail and
> Partner Start Pages (PSP). Google partners act as *identity providers*
> and control usernames, passwords and other information used to
> authenticate and authorize users for web applications that Google

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]