Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oasis Gives SAML 1.0 a Thumbs-Up

Posted by ryuzaki0 on from the new-internet-order dept.

Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"

7 of 134 comments (clear)

  1. Passport competition? by Alethes · · Score: 5, Interesting

    Is this an open standard that will compete with Passport, or is it something that Passport will have interoperablity with? Are they even related?

  2. Re:Bah. by smallpaul · · Score: 5, Informative

    SAML is not part of XML and in no way complicates XML. SAML is a specification built on XML. But to say that SAML complicates XML would be like saying that Mozilla complicates glib.

  3. In Other News... by CySurflex · · Score: 5, Funny
    In Other News...

    The W3C announces the new "CONVERT everything to XML guidebook", including new XML underwear, a revised XSLT super hero, an XML car that drives you to any XPATH, XSD-SCHEMA based twinkies, and of course still supporting the girlfriend that doesn't answer any XML-QUERIES.

  4. But what I really want to know is... by Myco · · Score: 4, Funny

    Do they still think they're the Beatles?

    --
    My deviantArt site
  5. Implementation already included in MS FrontPage by PDHoss · · Score: 5, Funny


    !seineeWerAsreenignEepacsteN
    </password>

    --
    ======================================
    Writers get in shape by pumping irony.
  6. Info about SAML by finkployd · · Score: 5, Informative

    I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.

    First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.

    It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).

    IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection.
    This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.

    There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.

    Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.

    To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.

    Finkployd

  7. Re:An example by Zeinfeld · · Score: 5, Informative
    Basically you want a site/service you've authenticated with to authenticate you with other sites, so the spec lays out how this should be done. From the RFC (just a snippet):

    More utter clulessness, I edited the SAML specification. In the first place it is an OASIS standard, not an IETF RFC. Secondly the code fragment cited is completely bogus.

    SAML is the Security Assertion Markup Language. It allows security assertions to be specified. A security assertions consists of one or more statements, which may be subject to a number of conditions and contain additional advice.

    A SAML Authentication assertion may be used to specify that a subject has been authenticated using user name and password.

    There was a time when Karma Whores would actually read the material they were citing.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/