[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML Single Sign-On (SSO) Service for Google Apps
Over the weekend on the saml-dev list Scott noted a number of things that are not to spec in their static demo - missing audience condition, missing subject confirmation data, missing destination attribute, and the misuse of the ProtocolBinding attribute. I downloaded their open source code examples to take a closer took at them and it has all the same issues. And I noticed a few more while I was looking - the AuthnRequest is missing the required Issuer element, Issuer is missing in the Response (required if signed) and it looks like they are using the wrong type of compression for redirect. What are people's thoughts about what, if anything, should be done by the TC to 'police' implementations of the specification? > -----Original Message----- > From: Prateek Mishra [mailto:prateek.mishra@oracle.com] > Sent: Monday, February 26, 2007 8:26 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] SAML Single Sign-On (SSO) Service for Google > Apps > > Google Apps offers a SAML-based Single Sign-On (SSO) service that > provides partner companies with full control over the authorization and > authentication of hosted user accounts that can access web-based > applications like Gmail or Google Calendar. Using the SAML model, Google > acts as the *service provider* and provides services such as Gmail and > Partner Start Pages (PSP). Google partners act as *identity providers* > and control usernames, passwords and other information used to identify, > authenticate and authorize users for web applications that Google hosts. > > > http://code.google.com/apis/apps/sso/saml_reference_implementation.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]