OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Non-browser HTTP binding for SAML

> So, I guess the ultimate question is whether there is interest in making
> a HTTP binding for the SAML protocol that doesn't require SOAP and
> supports direct server-to-server calls.  In thinking more about this, it
> might be just as easy to support an OAuth compatible binding.  Google is
> supporting RSA signing with OAuth so I believe we could achieve
> equivalent security.
> Another option would be to just extend SimpleSign to support signing of
> arbitrary HTTP based messages. I think all that is needed here is to
> allow the message to specify the parameters that need to be signed.
> Basically, just add a 'Signed' parameter that in the SAML case could be
> 'SAMLRequest,RelayState,SigAlg'. Of course the Signed parameter would be
> signed and we'd have to describe how to build the signature-base-string.

I think one question here (separate from the question of whether SAML needs
a synchronous HTTP binding) is whether this should be defined by SAML, or
whether somebody needs to solve the generic problem of signing HTTP (I think
the answer is yes, queue the S-HTTP discussion, etc.)

A perhaps related blog post:

If nobody's going to solve that, then I suppose we could, but it seems to me
that, for one thing, it's easier when going server to server to be able to
pass the XML as the MIME body, rather than have to screw around with form
posting. I would think that would be the "natural" way to do such a binding,
but it sounds like your use case would need the ability to use a form post.
Although I suppose you could use an Extension.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]