OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Potential impact of browser changes on SAML

Another link, this is the proposed charter of the W3C WG to work on these problems.


-- Scott

ïOn 6/29/21, 1:11 PM, "Cantor, Scott" <cantor.2@osu.edu> wrote:

    I was asked to relay some informational links regarding the ongoing discussions and proposals emerging from the major browser vendors as they work to attack various tracking technologies and tighten up browser behavior.

    It is the expectation of many in the federated identity community that these changes could have the impact of breaking or limiting the use of existing SSO protocols like SAML and OpenID Connect. To this point, only the SameSite cookie change has had a substantive impact, and since cookies are out of scope of these protocols, they've been implementer concerns, not issues with the standards.

    The changes coming to block third party cookies and local storage are fairly similar: they could impact deployers or implementers in some cases, but they can't really by definition outright break the standards, except perhaps in the area of logout.

    The locus of discussion for raising the impacts on federated identity with the right people has I guess been the W3C's Web Platform Incubator Group [1] and I guess other groups are forming to keep pushing on all this. I really am not well-positioned to understand who, what, where.

    I would also suggest that [2] is another resource. There's yet more work being done by Apple that's probably somewhat more concrete [3].

    The expectation by some at least is that at some point, SAML and OIDC may break. That may be wrong, or it may be many years off, but that outcome would mean that either the standards get updated if it happens or they become unusable outside of controlled environments.

    -- Scott

    [1] https://www.w3.org/community/wicg/
    [2] https://github.com/WICG/WebID/
    [3] https://webkit.org/blog/category/privacy/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]