OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance

> Sorry, but I don't understand what you mean by the following statement:
> "That's a deployment choice, but most implementations don't tend to have
> integrated SSO + query support and assume that those are separate,
> unrelated roles."

Normally SSO includes whatever set of attributes you want to include. That's a push. If there are lots of attributes, some people prefer to deploy with a query instead, and that means standardizing when and how that would happen and with what identifiers, and that often means custom work.

The Shibboleth implementation originally relied on queries after SSO that were tightly bound together because SAML 1.1 didn't allow for encryption of the front channel assertion. The normal model with SAML 2.0 is push, but the implementation allows either approach with no special customization.

Many one-off SAML SP implementations would never think to support queries and assume they will get everything up front. Many one-off IdP implementations are similarly limited.

> You mentioned that SAML compatibility is more about compatibility to
> specific profiles. Is it accurate then to say that the Conformance document
> that is part of the SAML v2 package is not that widely used and, in practice,
> the SP and SP Lite designations, as defined in the conformance document,
> are not very often used?

I think it's accurate. I'm sure some might disagree.

> SAML is a widely used framework. Are most companies able to implement it
> based on the technical standards?

The technical standards are clear to me (but then I wrote a lot of them). They also are limited in scope to things that were agreeable to the community to standardize and there are many things that an implementation has to do to provide a complete solution. Most companies have no business implementing SAML any more than they should be implementing Kerberos or PKI. They need to find implementations that suit them. It's generally a mistake to have a web development team try to one-off something.

> How do they get their questions answered?

OASIS has a mailing list for this kind of thing (saml-dev). Beyond that, implementations usually have their own support lists.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]