Slashdot Mirror
Oasis Gives SAML 1.0 a Thumbs-Up
Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"
Simple!
SAML is not part of XML and in no way complicates XML. SAML is a specification built on XML. But to say that SAML complicates XML would be like saying that Mozilla complicates glib.
an xml framework would use an xml to interface with the rest of the world.
XML is better than plain-text because unlike keyvalue pairs it can have hierarchy. It makes things more secure because cookies are on a per-domain basis and are an either/or situation with no limits on use ("use my details for customisation, but not tracking").
The project that I wrote uses SAML to pass authentication information to the various data providers.
Anyone interested in it can check out the project at http://www.nchelp.org/Meteor.htm.
If you're interested in looking at the code it can be downloaded from http://www.meteorcentral.com/
It is licensed via the LGPL.
-- Freedom means letting other people do things you don't like.
It is built on SAML. Read the deployment docs to get an overview (some of it's dated though).
We've started testing the alpha where I work, it's coming along. The stuff you'll be able to do with Shib is amazing.
-- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -A.Einstein
Liberty Alliance is more of a competitor to Passport than Shibboleth (although the two seem to be VERY similar). My understand about Shibboleth is that it is primarily for Higher Ed, not really geared toward business (thus its dependance on the EduPerson schema)
I've been working with Scott and Co to get the upcoming Beta release up to par. We have been running the Alpha 2.5 code in production for a class at PSU for a few months now. If you need any help or want to compare notes feel free to email me (mxe20@psu.edu).
Finkployd (mark earnest)
Yes, of course I have. But I do not believe that LR(1) grammars as constructed by yacc have any place in a computer language. Chmosky's syntax theories are designed to model human languages. A computer language that requires the power of a full LR(1) parser is almost certainly more complex than it needs to be.
lex involves processing that is only slightly simpler than yacc. Again regular expressions are great theory but using the unconstrained power of lex tends to result in specifications that are much more complex to parse than they need to be.
lex and yacc are tools for building compilers. A (non validating) xml parser can be constructed by hand without much difficulty.
Incidentally SAML does not use DTDs. In my view DTDs are an obsolete anacronism. SAML is specified using XML Schema which supports a full object oriented data model. XML Schema is unfortunately something of a beast, an XML Schema actually defines two type systems, not just one. An XML element definition defines a type of an element instance. An XML type definition actually specifies the type of a type.
Even so it is much simpler to use XML to define the data structures and then use automated toold to generate the serialization and parsing code than it is to use yacc, unless of course you start building data models arround yacc - definitively not recommended, been there, done that.
So don't jump to the conclusion that just because we did not choose to use a familliar tool we don't know what we are doing. I have written specifications based on LR(1) grammars, I have no intention of repeating the experience.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.
First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.
It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).
IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection.
This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.
There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.
Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.
To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.
Finkployd
I suspect that I am the only person on this thread who has actually read the specification.
SAML does not 'call for' encryption. It states that if confidentiality is a requirement then some form of encryption should be used. The actual encryption services are provided by either SSL or WS-Security.
Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.
This statement is remarkably clueless if you bother to read what SAML does. It is a single sign on protocol (amongst other things). Protecting the confidentiality of authentication credentials is not something easily overlooked when designing such protocols, particularly when it is largely based on research work done by VeriSign and Netegrity which are both specialists in cryptographic security.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/