Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oasis Gives SAML 1.0 a Thumbs-Up

Posted by ryuzaki0 on from the new-internet-order dept.

Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"

15 of 134 comments (clear)

  1. Passport competition? by Alethes · · Score: 5, Interesting

    Is this an open standard that will compete with Passport, or is it something that Passport will have interoperablity with? Are they even related?

    1. Re:Passport competition? by overlord2 · · Score: 3, Informative
      The thing that could be a possible Passport competitor is called Shibboleth:


      It is built on SAML. Read the deployment docs to get an overview (some of it's dated though).

      We've started testing the alpha where I work, it's coming along. The stuff you'll be able to do with Shib is amazing.

      --
      -- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -A.Einstein
    2. Re:Passport competition? by finkployd · · Score: 3, Informative


      Liberty Alliance is more of a competitor to Passport than Shibboleth (although the two seem to be VERY similar). My understand about Shibboleth is that it is primarily for Higher Ed, not really geared toward business (thus its dependance on the EduPerson schema)

      I've been working with Scott and Co to get the upcoming Beta release up to par. We have been running the Alpha 2.5 code in production for a class at PSU for a few months now. If you need any help or want to compare notes feel free to email me (mxe20@psu.edu).

      Finkployd (mark earnest)

    3. Re:Passport competition? by IamTheRealMike · · Score: 3, Insightful
      In short, no.

      Passport is a centralized web based SSO system.

      SAML is a protocol/framework for exchanging security assertions. It's not possible to build Passport out of pure SAML, for one SAML lacks a single signout protocol which kind of makes the whole thing rather useless. The Liberty Alliance (who will be releasing 1.1 soon) extend SAML to bring it up to speed.

      We can basically forget about Passport interop for now. I did look into it a few weeks ago for the Identity system I'm working on, but unless Microsoft radically change things (and indications are they won't) anything more advanced than automatic logins would require their approval, you'd probably just get denied access to the network.

  2. Just a thought by cranos · · Score: 3, Interesting

    and keep in mind I am not all that up to speed with web services but are any of these XML files that are going to be used for authentication going to be encrypted?

    I can see a giant hole here in terms of a dedicated cracker intercepting un-encrypted XML files, parsing the information and then using that info for their own nefarious (yes its a big word) schemes.

    Again when it comes to Web Services I am not the most up to date, its just a thought

    1. Re:Just a thought by Erik+Hollensbe · · Score: 3, Interesting

      Well, I'm sure the spec calls for encryption (as it would never get accepted otherwise)....

      Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.

      (Hint: if you're forced to use one of these systems (like I am), make sure you're not using a password you care about -- and don't even bother to make it cryptic)

    2. Re:Just a thought by Zeinfeld · · Score: 3, Informative
      Well, I'm sure the spec calls for encryption (as it would never get accepted otherwise)....

      I suspect that I am the only person on this thread who has actually read the specification.

      SAML does not 'call for' encryption. It states that if confidentiality is a requirement then some form of encryption should be used. The actual encryption services are provided by either SSL or WS-Security.

      Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.

      This statement is remarkably clueless if you bother to read what SAML does. It is a single sign on protocol (amongst other things). Protecting the confidentiality of authentication credentials is not something easily overlooked when designing such protocols, particularly when it is largely based on research work done by VeriSign and Netegrity which are both specialists in cryptographic security.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  3. And as always by kaosrain · · Score: 3, Funny

    Pornography will be the first industry to utilize this new technology ;) -Kaos

  4. Re:Bah. by smallpaul · · Score: 5, Informative

    SAML is not part of XML and in no way complicates XML. SAML is a specification built on XML. But to say that SAML complicates XML would be like saying that Mozilla complicates glib.

  5. In Other News... by CySurflex · · Score: 5, Funny
    In Other News...

    The W3C announces the new "CONVERT everything to XML guidebook", including new XML underwear, a revised XSLT super hero, an XML car that drives you to any XPATH, XSD-SCHEMA based twinkies, and of course still supporting the girlfriend that doesn't answer any XML-QUERIES.

  6. But what I really want to know is... by Myco · · Score: 4, Funny

    Do they still think they're the Beatles?

    --
    My deviantArt site
  7. Implementation already included in MS FrontPage by PDHoss · · Score: 5, Funny


    !seineeWerAsreenignEepacsteN
    </password>

    --
    ======================================
    Writers get in shape by pumping irony.
  8. Re:Bah. by Zeinfeld · · Score: 3, Informative
    Seriouly, Has anyone heard of lex and yacc these days?

    Yes, of course I have. But I do not believe that LR(1) grammars as constructed by yacc have any place in a computer language. Chmosky's syntax theories are designed to model human languages. A computer language that requires the power of a full LR(1) parser is almost certainly more complex than it needs to be.

    lex involves processing that is only slightly simpler than yacc. Again regular expressions are great theory but using the unconstrained power of lex tends to result in specifications that are much more complex to parse than they need to be.

    lex and yacc are tools for building compilers. A (non validating) xml parser can be constructed by hand without much difficulty.

    Incidentally SAML does not use DTDs. In my view DTDs are an obsolete anacronism. SAML is specified using XML Schema which supports a full object oriented data model. XML Schema is unfortunately something of a beast, an XML Schema actually defines two type systems, not just one. An XML element definition defines a type of an element instance. An XML type definition actually specifies the type of a type.

    Even so it is much simpler to use XML to define the data structures and then use automated toold to generate the serialization and parsing code than it is to use yacc, unless of course you start building data models arround yacc - definitively not recommended, been there, done that.

    So don't jump to the conclusion that just because we did not choose to use a familliar tool we don't know what we are doing. I have written specifications based on LR(1) grammars, I have no intention of repeating the experience.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  9. Info about SAML by finkployd · · Score: 5, Informative

    I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.

    First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.

    It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).

    IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection.
    This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.

    There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.

    Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.

    To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.

    Finkployd

  10. Re:An example by Zeinfeld · · Score: 5, Informative
    Basically you want a site/service you've authenticated with to authenticate you with other sites, so the spec lays out how this should be done. From the RFC (just a snippet):

    More utter clulessness, I edited the SAML specification. In the first place it is an OASIS standard, not an IETF RFC. Secondly the code fragment cited is completely bogus.

    SAML is the Security Assertion Markup Language. It allows security assertions to be specified. A security assertions consists of one or more statements, which may be subject to a number of conditions and contain additional advice.

    A SAML Authentication assertion may be used to specify that a subject has been authenticated using user name and password.

    There was a time when Karma Whores would actually read the material they were citing.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/