OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

tc-announce message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [Fwd: SAML spec for consideration as an OASIS Standard]

-------- Original Message --------
Subject: [OASIS members] SAML  spec for consideration as an OASIS Standard
Date: Mon, 28 Jul 2003 15:06:13 -0400
From: "Karl F. Best" <karl.best@oasis-open.org>
Reply-To: karl.best@oasis-open.org
Organization: OASIS
To: members@lists.oasis-open.org,  tc-announce@lists.oasis-open.org

OASIS members:

The OASIS Security Services TC (SSTC) has submitted the Security
Assertion Markup Language specification v1.1, which is an approved
Committee Specification, for review and consideration for approval by
OASIS members to become an OASIS Standard. The TC's submission is
attached below.

In accordance with Section 2 of the OASIS Technical Process, the
specification has already gone through a 30 day public review period.
OASIS members now have 15 days to familiarize themselves with the
submission. On the 16th of August I will send out a Call For Vote to the
voting representative of each OASIS member organization, who will have
until the end of the month to cast their ballots on whether this
Committee Specification should be approved as an OASIS Standard. OASIS
members should give their input on this question to the voting reps of
their respective organizations.

Members should note that IPR claims related to this specification have
been made; please see http://www.oasis-open.org/committees/security/ipr.php

The normative TC Process for approval of Committee Specifications as
OASIS Standards is found at


Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org

As a result of a unanimous vote of the Security Services Technical
Committee conducted on Tuesday, 01-July-2003, the TC co-chairs hereby
submit the SAML 1.1 specification for consideration as an OASIS
Standard. Minutes for this meeting are posted at:

Pursuant to the process stipulated in Section 2 of the OASIS Technical
Committee Process, the SSTC has published:

1. "A formal specification that is a valid member of its type, together
with appropriate documentation for the specification, both of which must
be written using approved OASIS templates."

The SAML 1.1 Specifications are available in a Zip file format from the
    SSTC Web site at:


The individual normative documents are available at:


The following non-normative document is also considered part of the


The following additional non-normative documents describe errata and
issues dealt with by the SSTC during its work on SAML 1.1.


2. "A clear English-language summary of the specification".

The Security Assertion Markup Language (SAML) is an XML-based framework
for exchanging security information. This security information is
expressed in the form of assertions about subjects, where a subject is
an entity (either human or computer) that has an identity in some
security domain. A typical example of a subject is a person, identified
by his or her email address in a particular Internet DNS domain.

Assertions can convey information about authentication acts performed by
subjects, attributes of subjects, and authorization decisions about
whether subjects are allowed to access certain resources. Assertions are
represented as XML constructs and have a nested structure, whereby a
single assertion might contain several different internal statements
about authentication, authorization, and attributes. Note that
assertions containing authentication statements merely describe acts of
authentication that happened previously.

Assertions are issued by SAML authorities, namely, authentication
authorities, attribute authorities, and policy decision points. SAML
defines a protocol by which clients can request assertions from SAML
authorities and get a response from them. This protocol, consisting of
XML-based request and response message formats, can be bound to many
different underlying communications and transport protocols; SAML
currently defines one binding, to SOAP over HTTP.

SAML may be profiled to enable Single Sign-On (SSO), the ability of a
user to authenticate in one domain and use resources in other domains
without re-authenticating. The SAML specifications define two Web
Browser SSO Profiles. However, note that SAML can be profiled to support
various non-SSO-specific usage scenarios, such as in authorization systems.

3. "Certification by at least three OASIS member organizations that they
are successfully using the specification consistently with the OASIS IPR

The following OASIS SSTC members have certified to the SSTC Co-Chairs
that they are successfully using the SAML 1.1 Committee Specifications
consistent with the OASIS IPR Policy:

Baltimore Technologies:
RSA Security:

4. "An account of or pointer to the comments/issues raised during the
public review period, along with their resolution".

The following comments were raised during the SAML 1.1 Public Review:

- This comment was addressed at the 10-June SSTC meeting. See minutes at

-This comment was addressed by PE23 in the errata document listed above.

- This comment was addressed during the 1-July SSTC meeting. See minutes

5. "An account of or pointer to votes and comments received in any
earlier attempts to standardize substantially the same specification,
together with the originating TC's response to each comment".

There were no earlier attempts to standardize this specification (though
the v1.0 version of SAML was approved as an OASIS Standard in November

6. "A pointer to the publicly visible comments archive for the
originating TC".

The publicly available comments archive for the SSTC are available at:

7. "A statement from the chair of the TC certifying that all members of
the TC have been provided with a copy of the OASIS IPR Policy".

This statement is available at:

Submitted by the SSTC co-chairs, Prateek Mishra pmishra@netegrity.com,
Rob Philpott rphilpott@rsasecurity.com.

Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]