Skip to Content.
Sympa Menu

mace-opensaml-users - RE: How to create authentication using SAML and Security concerns!

Subject: OpenSAML user discussion

List archive

RE: How to create authentication using SAML and Security concerns!


Chronological Thread 
  • From: Scott Cantor <>
  • To: ,
  • Subject: RE: How to create authentication using SAML and Security concerns!
  • Date: Mon, 12 May 2003 10:16:35 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> I am trying to learn SAML. I have downloaded OpenSAMl
> and SAML from Phaos. I would like to implement
> authorization and authentication for a web site using
> SAML. How should I proceed? ( I went through the
> examples and documents SAML provides... but like to
> know how other are doing and defacto standards are.)

SAML defines two profiles for authenticating to a site by relying on a second
site, one using redirects and SOAP and the other using
form POST. Neither is all that easy to capture in an API, but there's a
wrapper class in OpenSAML for handling some of the form POST
profile, and Shibboleth implements it on top of that class. I haven't done
the artifact profile, but the basic machinery is in the
library for constructing artifact queries and building the assertions, and
making SOAP binding calls.

Authorization is too wide a topic to answer. The Java code has some of the
authz stuff implemented, but I'd suggest looking at the
XACML implementation from Sun at sourceforge for doing real external authz.

The SAML code does have support for attribute assertions, which can be part
of an authz scheme. Shibboleth uses it extensively.

Unless you really need something different from what Shibboleth's code does,
you might be best advised to start there and perhaps
modify from that point rather than inventing something new.

> And also is there any document that talks about
> potential security risks in using SAML.

There's a security considerations document in the spec set, and the binding
spec has sections in it about security threats.

> Does using
> SAML provides any additional security than what the
> browser is implementing.

Such as? Browsers don't do much apart from client certificates, which SAML
doesn't specify the use of.

> For example SAML Assertions
> can be signed using PGP. Does SAML provides any
> additional layer of security than what PGP provides?

PGP and the web are orthogonal systems. SAML just encodes security assertions
that can be signed and sent between sites. PGP alone
can't secure a web session. You could use PGP to sign assertions in the POST
profile, if the consuming site expected to use PGP to
verify them.

-- Scott


---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page