Oasis Gives SAML 1.0 a Thumbs-Up 134
Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"
Re:XML framework (Score:2, Informative)
an xml framework would use an xml to interface with the rest of the world.
XML is better than plain-text because unlike keyvalue pairs it can have hierarchy. It makes things more secure because cookies are on a per-domain basis and are an either/or situation with no limits on use ("use my details for customisation, but not tracking").
Re:XML framework (Score:2, Interesting)
What?
Re:XML framework (Score:1)
But that's assumeing best case scenario, where everything works like it should.
Security is built on the worst case scenario.
It's no more "secure", it's not that much harder for evil people to do bad stuff.
Passport competition? (Score:5, Interesting)
Re: (Score:2)
Re:Passport competition? (Score:1)
Vendors and OS projects will need to build an impl of this protocol before anyone can hope to take on the Passport service as a vendor.
Re:Passport competition? (Score:3, Informative)
It is built on SAML. Read the deployment docs to get an overview (some of it's dated though).
We've started testing the alpha where I work, it's coming along. The stuff you'll be able to do with Shib is amazing.
Re: (Score:3, Informative)
Re:Passport competition? (Score:1)
Re:Passport competition? (Score:3, Insightful)
Passport is a centralized web based SSO system.
SAML is a protocol/framework for exchanging security assertions. It's not possible to build Passport out of pure SAML, for one SAML lacks a single signout protocol which kind of makes the whole thing rather useless. The Liberty Alliance (who will be releasing 1.1 soon) extend SAML to bring it up to speed.
We can basically forget about Passport interop for now. I did look into it a few weeks ago for the Identity system I'm working on, but unless Microsoft radically change things (and indications are they won't) anything more advanced than automatic logins would require their approval, you'd probably just get denied access to the network.
Bah. (Score:2, Insightful)
MSXML
SunXML
IBMXML
Re:Bah. (Score:2, Insightful)
Those are just libraries for creating/parsing XML documents. The output of ALL of them is 100% compliant XML. The programming interfaces are not specced at all and are of course 100% different in all implementations.
I don't think you GROK what XML is exactly to have made that statement.
Re:Bah. (Score:5, Informative)
Re:Bah. (Score:2, Insightful)
point is that XML is *completely and utterly useless* without complex and byzantine frameworks such as SAML and SOAP
Uh!
And Java (the language) is completely and utterly useless without the java class libraries. This must mean that Java is a useless language. The fact that it can be used as a standard way to build other technologies on top of is besides the point...
Re:Bah.(study xml a little more man) (Score:1)
Re:Bah.(study xml a little more man) (Score:1)
Re:Bah.(study xml a little more man) (Score:1)
ps. You can do a LOT of things with XML even without SAML or SOAP man.
ps2: You
Re:Bah.(study xml a little more man) (Score:1)
Re:Bah. (Score:1, Funny)
SunXML
IBMXML
are all just XML parsers, all parse 100% pure XML and all produce 100% pure XML.
XML is (in slashdotarian),
thou shall use tags, like so <biggles>
thou shall always close a started tag, like so </biggles>
thou shall use DTD's
People can then use XML to make standards based on that, and as long as the DTD/Scheame and notes on the DTD are aviable anything with an XML parse can use it.
Re:Bah. (Score:1)
Re: (Score:2)
Re:Bah. (Score:3, Informative)
Yes, of course I have. But I do not believe that LR(1) grammars as constructed by yacc have any place in a computer language. Chmosky's syntax theories are designed to model human languages. A computer language that requires the power of a full LR(1) parser is almost certainly more complex than it needs to be.
lex involves processing that is only slightly simpler than yacc. Again regular expressions are great theory but using the unconstrained power of lex tends to result in specifications that are much more complex to parse than they need to be.
lex and yacc are tools for building compilers. A (non validating) xml parser can be constructed by hand without much difficulty.
Incidentally SAML does not use DTDs. In my view DTDs are an obsolete anacronism. SAML is specified using XML Schema which supports a full object oriented data model. XML Schema is unfortunately something of a beast, an XML Schema actually defines two type systems, not just one. An XML element definition defines a type of an element instance. An XML type definition actually specifies the type of a type.
Even so it is much simpler to use XML to define the data structures and then use automated toold to generate the serialization and parsing code than it is to use yacc, unless of course you start building data models arround yacc - definitively not recommended, been there, done that.
So don't jump to the conclusion that just because we did not choose to use a familliar tool we don't know what we are doing. I have written specifications based on LR(1) grammars, I have no intention of repeating the experience.
Re:Bah. (Score:2)
In BNF notation Java has 54 productions, C++ has 88, and XML has 89. Where Java and C++ only support a single character encoding according to their standards, XML requires support for at least 2, one of which must be supported in both endian encodings. Where LR(1) grammars define at design time the significance of whitespace, XML must parse a DTD at runtime to determine when whitespace is or is not significant. In XML arbitrary characters or data can be represented in at least two ways other than a raw character, and XML has built into it a substitution language - so its fair to compare its complexity to C++ and CPP.
XML is a complex and difficult to implement standard (as evidenced by the very few completed, compliant parsers that are available).
Re:Bah. (Score:1)
Don't read me wrong - I believe you that it has those 89 productions. I just state that it's suprising and perhaps the fact that it looks so simple is the reason that managers like it so mutch.
Re:Bah. (Score:2)
On the surface XML looks very simple. Balanced parenthesis expressions, as you say. Just under the surface it doubles its complexity: attributes are functionality equivalent to sub-expressions which have the limitation that they themselves can't have sub-expressions. This gives you two equivalent ways to represent information, which complicates the data model. It also makes it slightly more difficult to parse.
But when you get to the actual syntax, all hell breaks loose. A parser must understand UTF-8 and UTF-16 encoding (the latter in big endian or little endian format).
A parser must also parse not only the simple embedded parenthesis we know as XML, but also a DTD. Even if it cannot validate, it must parse the DTD in order to get past it and parse the rest of the document, in order to substitute entities, and in order to handle whitespace correctly.
Beyond the DTD and "basic XML syntax", it must handle special cases for comments, CDATA sections and processing instructions. All of these are effectively subgrammars - once you enter the section it has its own completely different rules for how its content is (or is not) parsed.
The parser must also detect and substitute entities, as specified in the DTD. The DTD also determines where whitespace is and is not significant, and therefore whether the parser must or should ignore whitespace, or must report it to the application (which is using the parser).
XML looks simple, and simple non-compliant XML parsers that parse simple XML are easy to write and in abundance. But XML, complete, is complex and tricky.
Re:Bah. (Score:2)
Apparently, you do not give a flying fuck about people who do not use American English and ASCII encoding.
Well, the majority of world population does care about these issues and uses different character sets. If it means a bit more trouble for american programmers - I would say, fuck them lazy fucks.
Of course - if you ever had to fit in internationalization support into your wondercode, starting on yacc and proceeding into char* haven, then you frigging deserve it.
I would rather have the toolkit writer have a few grey hairs..
Re:Bah. (Score:2)
Actually, I do. Like most sane people I understand that one unicode character encoding (EITHER UTF-8 OR UTF-16LE OR UTF-16BE OR UTF-32 OR on of the many others) is adequate. UTF-8 gives you a nice advantage of compatibility with the ASCII-7 character set, which means widespread support for text editing.
encodings and syntax (Score:1)
Re:encodings and syntax (Score:2)
The syntax characters are not the same in all encodings. This is made completely clear by one of the appendices to the XML specification, which explains how a parser can determine the character encoding in use by examining the first four bytes of the file.
Since an XML document must start with <?xml, in UTF-8 the first four bytes will be <?xm . In UTF-16, however, the fist four bytes will contain BE or LE 16-bit encodings for just the first two characters <?, because each character uses at least 16-bits to encode. You can also determine UTF-32 encodings and others.
Encoding determines how to interpret the bits and bytes of the document into characters, and the control characters are not the same in all encodings. A parser that naively parses a document as ASCII will get the completely wrong idea if it is UTF-8 encoded, where there may be multiple bytes per character. A UTF-16 encoded document parsed as UTF-8 will be completely garbled.
Re:Bah. (Score:2)
The point of XML was to allow subset languages to be created for the efficient exchange and storage of data, in a logical (human-readable) format.
SAML is defined using XML. It changes nothing in XML. How exactly does this bring XML any closer to becoming SGML?
That your uninformed post got +4 amazes me, truly.
Re:Bah. (Score:1)
1. It's a text markup "language" with <begin tags> and </end tags> like html.
2. It's tags have to have a start and end tag and are case sensitive.
3. Start tags can have attributes in the form of attribute="value"
4. XML documents begin with an XML version tag.
That's it. Complex huh?
Re:Bah. (Score:2)
Plus 85 other rules. Yes, really - check the specification. There mere fact that it has attributes AND every tag can contain tags gives you two orthogonal and redundant data models. There are two character encodings, three character/data representations, four syntactically distinct data models ... and only about four parsers that can claim to be compliant or close to compliant with the specification. Yes, complex.
Re:Bah. (Score:2)
Allow me to repeate my objection to your frigging nonsense:
So what? Toolkit writer worries about this shit. User does not. XML is simple.
Re:Bah. (Score:2)
XML as it is now will never be efficient at anything. To be efficient, the XML structure would need to be represented in binary. (And there would be no loss of interoperability.) And any numeric arrays need to be represented raw.
Just a thought (Score:3, Interesting)
I can see a giant hole here in terms of a dedicated cracker intercepting un-encrypted XML files, parsing the information and then using that info for their own nefarious (yes its a big word) schemes.
Again when it comes to Web Services I am not the most up to date, its just a thought
Re: (Score:3, Interesting)
Re:Just a thought (Score:3, Informative)
I suspect that I am the only person on this thread who has actually read the specification.
SAML does not 'call for' encryption. It states that if confidentiality is a requirement then some form of encryption should be used. The actual encryption services are provided by either SSL or WS-Security.
Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.
This statement is remarkably clueless if you bother to read what SAML does. It is a single sign on protocol (amongst other things). Protecting the confidentiality of authentication credentials is not something easily overlooked when designing such protocols, particularly when it is largely based on research work done by VeriSign and Netegrity which are both specialists in cryptographic security.
Re:Just a thought (Score:1)
I will be reading the spec tonight, but as I said in my previous post in this case I believe that any sort of authentication standard has to move away from plain text across the net as its base and onto encryption.
Re:Just a thought (Score:2)
Not really, I was the editor.
However its a bit worrying that a spec whos entire reason for existing is cross-authentication between two or more different sets of Web Services does not make encryption part of its core.
Not at all. I was working on the WS-Security specification with Microsoft and IBM at the same time as I was editing SAML. The SAML group anticipated that WS-Security would be proposed as soon as the SOAP 1.2 specification started to stabilize.
Re:Just a thought (Score:2, Funny)
As I said I will try and read the spec tonight,family permitting.
Re:Just a thought (Score:2)
And as always (Score:3, Funny)
Re:And as always (Score:2)
An example (Score:1, Informative)
Simple!
Re:An example (Score:2)
Re:An example (Score:2)
Re:An example (Score:2)
Re:An example (Score:1)
TWEEEET!!! (Score:1)
you - out of the pool!
with <.
Where's that semi-colon, boyo?
Re:TWEEEET!!! (Score:1)
Re:TWEEEET!!! (Score:2)
<xml>
<
</xml>
Re:An example (Score:2)
My point was merely that XML being so *simple* it's funny how difficult it can be to actually use for things at times...
Re:An example (Score:5, Informative)
More utter clulessness, I edited the SAML specification. In the first place it is an OASIS standard, not an IETF RFC. Secondly the code fragment cited is completely bogus.
SAML is the Security Assertion Markup Language. It allows security assertions to be specified. A security assertions consists of one or more statements, which may be subject to a number of conditions and contain additional advice.
A SAML Authentication assertion may be used to specify that a subject has been authenticated using user name and password.
There was a time when Karma Whores would actually read the material they were citing.
Re:An example (Score:2)
I thought it was funny that the post was modded informative - I think it's hilarious that you took it so serious! Here's another xml snippet for you:
<sucka>you</sucka>
Re:An example (Score:2)
It might be funny if there weren't so many people on slashdot who might actually think that way,.
It is like Ronald Reagan making a 'joke' about bombing Russia, it wasn't funny because lots of people really did think he was a senile fool who might do something like that.
well... (Score:1, Insightful)
In Other News... (Score:5, Funny)
The W3C announces the new "CONVERT everything to XML guidebook", including new XML underwear, a revised XSLT super hero, an XML car that drives you to any XPATH, XSD-SCHEMA based twinkies, and of course still supporting the girlfriend that doesn't answer any XML-QUERIES.
New XML standard: SML (Score:1)
But what I really want to know is... (Score:4, Funny)
Implementation already included in MS FrontPage (Score:5, Funny)
!seineeWerAsreenignEepacsteN
</password>
Re:Implementation already included in MS FrontPage (Score:2)
!seineeWerAsreenignEepacsteN
</password>
That's strongly encrypted password considering that whitespace characters are significant in XML. No one will ever be able to reproduce exactly the same pattern of whitespace again! (Including me.)
Make Oasis Open Source! (Score:2, Funny)
Only when we realize the massive potential of Open Source, can we repair the weak Gaussian Blur filters in Photoshop.
Re:Make Oasis Open Source! (Score:1)
I'm sorry, (Score:1, Funny)
Dr. Hibbert: Homer, I'm afraid you'll have to undergo a coronary bypass operation.
Homer: Say it in English, Doc.
Dr. Hibbert: You're going to need open-heart surgery.
Homer: Spare me your medical mumbo-jumbo.
Dr. Hibbert: We're going to cut you open and tinker with your ticker.
Homer: Could you dumb it down a shade?
Compressing XML SAML? (Score:2, Insightful)
Re:Compressing XML SAML? (Score:1)
Re:Compressing XML SAML? (Score:2)
D. E. Knuth, The art of computer programming. Vol. 2, Seminumerical algorithms, third ed., Addison-Wesley Series in Computer Science and Information Processing. Addison-Wesley, Reading, MA, 1997.
or:
(xml I'm not encoding)
To the computer? The XML... My sax parser can understand one, allowing me to map every bit of info into a program without (much) hassle. The other, I have to write a parser to take the chunks of information and stuff it into my widget.
I use to think the same way... until I was converting cobol copybooks into C struts and/or Java. Bandwidth is cheap compared to my time, and lord knows I left some really ugly code (three companies ago) for someone to figure out why the hell I'm grabbing a few characters which map to something important in the HL7 spec.
Re:Compressing XML SAML? (Score:1)
Re:Compressing XML SAML? (Score:1)
Happy Hacking!
Re:Compressing XML SAML? (Score:1)
Unless you do some fancy custom checks, your computer can't tell this from your shopping list.
That's the point of XML, storing information in a way that your computer can easily understand what's going on.
Chuck an tag at the top, and it can check against the schema to see that it actually makes sense.
You can run it through an XSLT script, and get HTML, or the plain text form above, or maybe combine it with some other documents, and get a different type of XML document.
All of this stuff would be a whole lot harder in plain text, because your computer wouldn't know what the document meant, let alone how to do anything interesting with it.
Oops - Re:Compressing XML SAML? (Score:1)
Should have said
Chuck an <?xml
So yeah, it's a bugger to read/edit yourself. But it's a whole lot nicer from your computers point of view.
Of course you can compress it (Score:1)
For example,SVG [w3.org] - an XML standard for Vector Graphics - expects all conformant viewers to be able to handle gzip/gunzip compression.
They compress down as small as binary Flash (.swf) files.
Re:Compressing XML SAML? (Score:2)
If you want to reduce the size of the XML messages I suggest that you use a more efficient XML encoding rather than a compression algorithm.
A compression algorithm such as LZW takes entire documents and makes them smaller, this is highly efficient in terms of space but computationally intensive. Decompression typically requires the whole message or at least a substantial part of it to be read before decompression can begin.
Finaly, the problem is not that "is complex enough that nobody tends to parse it right." ASN.1 is a classical example of a good idea that was butchered in committee. The most half baked example of which being the DER encoding rules which are simply derranged. There is no 'tends' about it, no two full scale ASN.1 tools I have used can be relied on to interoperate. Some fail to interoperate with themselves.
Re:Compressing XML SAML? (Score:1)
converted to
etc... Just a thought! I guess the space recovered would be limited and it would mean the other end would have to reconstruct it.
Re:Compressing XML SAML? (Score:1)
[author]
converted to: [a]
Some one tell me how to draw less than signs!!!!
It's good to see them approving open standards (Score:2)
Re:It's good to see them approving open standards (Score:1)
it's about frickin' time (Score:1)
does this finally mean that XML is more popular than the beatles?
On public computers? (Score:1)
Have not heard from Oasis from a while... (Score:1)
Oh wait.. RTFA(s)
Scary... (Score:1)
I hope it's for the best, not just another buzzword.
After all, I can see OpenPGP encrypted files + dettached signatures encapsulated in XML sooner that this finishes being "approved".
I assure you, I see it! It's red, and has yellow dots.. ah well...
ah PGP alredy is an open standard according ITEF (Score:1)
Re:ah PGP alredy is an open standard according ITE (Score:1)
RFC = Request for Comments , not necessarily always established standards, but mostly proposed standards.
You could include references in your inmensely constructive comments. Of course for a technology to be useful to anyone, RFCs are required reading. Where is the RFC you mention (PGP in XML) ?
XrML? (Score:1)
Wonder-fire-wall? (Score:1)
What's next -- the Supergrass Encryption protocol?
LGPL Version of SAML available (Score:2, Informative)
Anyone interested in it can check out the project at http://www.nchelp.org/Meteor.htm [nchelp.org].
If you're interested in looking at the code it can be downloaded from http://www.meteorcentral.com/ [meteorcentral.com]
It is licensed via the LGPL.
I was surprised.... (Score:1)
-pysco
OpenSAML (Score:2)
Comment removed (Score:5, Informative)
Re:Info about SAML (Score:1)
I find its actually a good filter - where people quote knowledge of XML in their skill-set with no mention of any specific XML technologies you know they've just dropped in a current buzzword for good measure. Its about as useful as saying "I know about files", its that generic!
Re:Info about SAML (Score:1)
What is XML Encryption, btw? Is it different from
Encrypting XML? Is the encrypted content XML?
If yes, are the XML parsers supposed to support them too?
Re: (Score:2)
Cool! (Score:1)
(For the Sluggy-challenged, check the link in my sig.)
Last Post! (Score:1)
I don't know what it would be, but I think it'd be good to hear someone say,
"Gentlemen, what we have here is a terrifying example of the reindeer effect."
-- Jack Handley, The New Mexican, 1988.
- this post brought to you by the Automated Last Post Generator...