OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trans-ws message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: SAML specification

Attached is a mail that I received from Eve Maler of the SAML OASIS TC
answering some of my questions.

For discussion at this afternoon's conference call.


Stephen Flinter
Connect Global Solutions
[t] +353 (0)1 882 9038
[f] +353 (0)1 882 9050
[m] +353 87 798 1228
[e] stephen.flinter@connectcgs.com
[w] www.connectcgs.com

> I'm contacting you on behalf of the Translation Web Services OASIS TC (
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trans-ws).
> We're currently in the process of putting together our specification
> regarding how web services will be used in the translation/localization
> industries.  As part of that spec, I am working on the issue of security,
> and in particular authentication and authorization, over the web service.
> Of the available specs that I've looked at, yours appears to be the most
> suitable for our needs.
> However, I do have a few questions:
> 1. As regards referencing your spec (or indeed any other external spec),
> what is the preferred method in your experience?  Specifically, in our
> specification, should we just make a reference to the SAML spec in our
> document, or should our WSDL have relevant portions of your spec encoded
> within it?  Are there any other standards that make reference to SAML in
> this way, and if so can you point me to them?

Ideally it's best to pull in other specs by reference so you don't
duplicate work, which might mean a normative reference in a prose
document and/or importing the SAML schemas as appropriate into a
higher-level schema.  (Currently there is no fully standard way to
indicate web service security requirements and abilities in a WSDL file,
though there are ongoing efforts to address this: the privately managed
WS-Policy work and the OASIS XACML WSPL work.)

In addition to SAML per se, you should also be looking at the OASIS WSS
(Web Services Security) work, which defines how to bind security to
individual web service messages.  That work includes, among other
profiles, a SAML profile that shows how to use SAML assertions in the
security-related SOAP header extensions defined by WSS.

> 2. Do you have a reference implementation of the SAML spec, and if so,
> where?

OASIS doesn't require reference implementations and none in fact exists
for SAML, but you may want to take a look at the open-source
OpenSAML.org implementation.  There are also many product
implementations, some of which you can download in evaluation form, and
a Java Specification Request (155) for a SAML API is in process (though
currently moving slowly).

> 3. What has been the experiece of those implementing the SAML spec?  One
> the concerns that we have is that for the first version of the
> Web Services spec, we want to make implementation as straight-forward as
> possible.  We don't want people to have to implement two complex specs
> (Trans-WS & SAML) to get a working system.  Ideally, we'd like to cover
> just authentication (username/password) initially, and introduce more
> complex security requirements at a later date.

SAML is relatively mature (though WSS is not yet finalized as a
Committee Spec).  Several of the pieces you might need, such as XML
Signature support, are starting to be fairly widely available and
mature.  Ideally you only want to profile (subset) what's already
available out there, possibly as non-normative "SHOULDs" at first until
you feel comfortable with all the relevant maturity levels.  Beyond
message-oriented protection, you may also want to look at
transport-oriented security, such as SSL/TLS, which is still extremely
common (though less flexible than the XML-aware solutions).

If you have implementation questions as you go along, the saml-dev
mailing list hosted by OASIS would be a good place to post them.

> Any help that you can provide on these issues would be most appreciated.
> Regards,
> Steve

I hope this helps, and I also hope that Prateek and Rob will fill
in/correct as they see fit...


Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com
SunNetwork 2003 Conference and Pavilion  http://www.sun.com/sunnetwork
September 16-18, 2003                    Moscone Center, San Francisco
An unparalleled event in network computing! Make the net work for you!

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]