Oasis Gives SAML 1.0 a Thumbs-Up

Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"

An example

[Call Me Black Cloud]

Basically you want a site/service you've authenticated with to authenticate you with other sites, so the spec lays out how this should be done. From the RFC (just a snippet):

<password>
<display>*******</display>
<actual>password</actual>
</password>

Simple!

Re:Bah.

[smallpaul]

SAML is not part of XML and in no way complicates XML. SAML is a specification built on XML. But to say that SAML complicates XML would be like saying that Mozilla complicates glib.

Re:XML framework

[Anonymous Coward]

unlike software, a framework includes standards.

an xml framework would use an xml to interface with the rest of the world.

XML is better than plain-text because unlike keyvalue pairs it can have hierarchy. It makes things more secure because cookies are on a per-domain basis and are an either/or situation with no limits on use ("use my details for customisation, but not tracking").

LGPL Version of SAML available

[bornholtz]

The project that I wrote uses SAML to pass authentication information to the various data providers.

Anyone interested in it can check out the project at http://www.nchelp.org/Meteor.htm [nchelp.org].
If you're interested in looking at the code it can be downloaded from http://www.meteorcentral.com/ [meteorcentral.com]
It is licensed via the LGPL.

Re:Passport competition?

[overlord2]

The thing that could be a possible Passport competitor is called Shibboleth:

• http://middleware.internet2.edu/shibboleth/ [internet2.edu]

It is built on SAML. Read the deployment docs to get an overview (some of it's dated though).

We've started testing the alpha where I work, it's coming along. The stuff you'll be able to do with Shib is amazing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bah.

[Zeinfeld]

Seriouly, Has anyone heard of lex and yacc these days?

Yes, of course I have. But I do not believe that LR(1) grammars as constructed by yacc have any place in a computer language. Chmosky's syntax theories are designed to model human languages. A computer language that requires the power of a full LR(1) parser is almost certainly more complex than it needs to be.

lex involves processing that is only slightly simpler than yacc. Again regular expressions are great theory but using the unconstrained power of lex tends to result in specifications that are much more complex to parse than they need to be.

lex and yacc are tools for building compilers. A (non validating) xml parser can be constructed by hand without much difficulty.

Incidentally SAML does not use DTDs. In my view DTDs are an obsolete anacronism. SAML is specified using XML Schema which supports a full object oriented data model. XML Schema is unfortunately something of a beast, an XML Schema actually defines two type systems, not just one. An XML element definition defines a type of an element instance. An XML type definition actually specifies the type of a type.

Even so it is much simpler to use XML to define the data structures and then use automated toold to generate the serialization and parsing code than it is to use yacc, unless of course you start building data models arround yacc - definitively not recommended, been there, done that.

So don't jump to the conclusion that just because we did not choose to use a familliar tool we don't know what we are doing. I have written specifications based on LR(1) grammars, I have no intention of repeating the experience.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Just a thought

[Zeinfeld]

Well, I'm sure the spec calls for encryption (as it would never get accepted otherwise)....

I suspect that I am the only person on this thread who has actually read the specification.

SAML does not 'call for' encryption. It states that if confidentiality is a requirement then some form of encryption should be used. The actual encryption services are provided by either SSL or WS-Security.

Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.

This statement is remarkably clueless if you bother to read what SAML does. It is a single sign on protocol (amongst other things). Protecting the confidentiality of authentication credentials is not something easily overlooked when designing such protocols, particularly when it is largely based on research work done by VeriSign and Netegrity which are both specialists in cryptographic security.

Re:An example

[Zeinfeld]

Basically you want a site/service you've authenticated with to authenticate you with other sites, so the spec lays out how this should be done. From the RFC (just a snippet):

More utter clulessness, I edited the SAML specification. In the first place it is an OASIS standard, not an IETF RFC. Secondly the code fragment cited is completely bogus.

SAML is the Security Assertion Markup Language. It allows security assertions to be specified. A security assertions consists of one or more statements, which may be subject to a number of conditions and contain additional advice.

A SAML Authentication assertion may be used to specify that a subject has been authenticated using user name and password.

There was a time when Karma Whores would actually read the material they were citing.