Subject: Re: SAML specification
Attached is a mail that I received from Eve Maler of the SAML OASIS TC answering some of my questions. For discussion at this afternoon's conference call. Steve --------------------------------------------- Stephen Flinter Connect Global Solutions [t] +353 (0)1 882 9038 [f] +353 (0)1 882 9050 [m] +353 87 798 1228 [e] firstname.lastname@example.org [w] www.connectcgs.com -------------------------------------------- > > I'm contacting you on behalf of the Translation Web Services OASIS TC ( > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trans-ws). > > We're currently in the process of putting together our specification > regarding how web services will be used in the translation/localization > industries. As part of that spec, I am working on the issue of security, > and in particular authentication and authorization, over the web service. > Of the available specs that I've looked at, yours appears to be the most > suitable for our needs. > > However, I do have a few questions: > > 1. As regards referencing your spec (or indeed any other external spec), > what is the preferred method in your experience? Specifically, in our own > specification, should we just make a reference to the SAML spec in our > document, or should our WSDL have relevant portions of your spec encoded > within it? Are there any other standards that make reference to SAML in > this way, and if so can you point me to them? Ideally it's best to pull in other specs by reference so you don't duplicate work, which might mean a normative reference in a prose document and/or importing the SAML schemas as appropriate into a higher-level schema. (Currently there is no fully standard way to indicate web service security requirements and abilities in a WSDL file, though there are ongoing efforts to address this: the privately managed WS-Policy work and the OASIS XACML WSPL work.) In addition to SAML per se, you should also be looking at the OASIS WSS (Web Services Security) work, which defines how to bind security to individual web service messages. That work includes, among other profiles, a SAML profile that shows how to use SAML assertions in the security-related SOAP header extensions defined by WSS. > 2. Do you have a reference implementation of the SAML spec, and if so, > where? OASIS doesn't require reference implementations and none in fact exists for SAML, but you may want to take a look at the open-source OpenSAML.org implementation. There are also many product implementations, some of which you can download in evaluation form, and a Java Specification Request (155) for a SAML API is in process (though currently moving slowly). > 3. What has been the experiece of those implementing the SAML spec? One of > the concerns that we have is that for the first version of the Translation > Web Services spec, we want to make implementation as straight-forward as > possible. We don't want people to have to implement two complex specs > (Trans-WS & SAML) to get a working system. Ideally, we'd like to cover > just authentication (username/password) initially, and introduce more > complex security requirements at a later date. SAML is relatively mature (though WSS is not yet finalized as a Committee Spec). Several of the pieces you might need, such as XML Signature support, are starting to be fairly widely available and mature. Ideally you only want to profile (subset) what's already available out there, possibly as non-normative "SHOULDs" at first until you feel comfortable with all the relevant maturity levels. Beyond message-oriented protection, you may also want to look at transport-oriented security, such as SSL/TLS, which is still extremely common (though less flexible than the XML-aware solutions). If you have implementation questions as you go along, the saml-dev mailing list hosted by OASIS would be a good place to post them. > Any help that you can provide on these issues would be most appreciated. > > Regards, > > Steve I hope this helps, and I also hope that Prateek and Rob will fill in/correct as they see fit... Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com ********************************************************************** SunNetwork 2003 Conference and Pavilion http://www.sun.com/sunnetwork September 16-18, 2003 Moscone Center, San Francisco An unparalleled event in network computing! Make the net work for you!