OpenSAML user discussion

["Mark Wilcox" <>]

Hi,
SAML is not either/or with JAAS/GSS-API, these are complementary systems.

Actually I will throw GSS-API out for the rest of my discussion because for
all practical purposes GSS-API only applies to Kerberos. And unless you're
writing non-Web applications, you can't do Kerberos for SSO because there is
no widely accepted way of passing Kerberos TGT tokens via HTTP. If you are
writing non-Web applications, then, I'd probably stick with Kerberos if
possible and ignore the rest of this message :).

SAML is an XML based protocol for passing around authentication and
authorization information. It doesn't actually perform the authentication or
authorization (heck, it doesn't specify how you should identify an user) -
it simply provides a way for secure transmission of this information in a
standard fashion.

The way this works is that user logs into authentication system and then
tries to access a protected resource via their browser. The resource and
authentication system can both speak SAML. The resource and the
authentication system speak SAML to each other (this is oversimplification
:) and the user is allowed into the resource.

Back to where JAAS potentially fits into the picture. If the protected
resource had been a Java application and if someone writes a JAAS provider
based on one of the Java SAML implementations, then you could put that SAML
JAAS provider into your Java application & with some work to support the
ability to handle redirects required for SAML, could support SAML via JAAS.

I don't actually know of any SAML providers for JAAS but I haven't looked in
a while :).

 


Mark



> -----Original Message-----
> From: Richard Gundersen 
> [mailto:]
> Sent: Saturday, May 01, 2004 4:51 AM
> To: 
> 
> Subject: SAML, JAAS, GSS-API etc
> 
> Hi
> 
> I'm designing a single signon architecture for a project I'm working on,
> and
> have *almost* settled on Kerberos as the authentication mechanism, GSS-API
> for client/server authentication and communication, and JAAS to create a
> custom policy for managing roles and permissions etc.
> 
> I think if these are used correctly this should provide a solid base for
> my
> solution.
> 
> However, now I have come accross SAML, which from what I have read, could
> perhaps take the place of the JAAS and GSS-API components.
> 
> My question is this: is SAML something that could be used instead of, or
> to
> complement these technologies? If anybody has experience of how SAML has
> been used with JAAS, GSS-API etc etc in a production environment I'd be
> really interested to hear. My gut feeling is GSS/JAAS might be a bit more
> flexible and robust since they are fairly mature & well understood now,
> but
> I am very open minded and interested to hear what SAML can offer.
> 
> Thanks!
> 
> Richard
> 
> _________________________________________________________________
> Express yourself with cool emoticons - download MSN Messenger today!
> http://www.msn.co.uk/messenger