OpenSAML user discussion

["Scott Cantor" <>]

> Hello, I was wondering if anyone has tried instrumenting a 
> saml installation with REST instead of SOAP. If so, are there 
> any examples, pitfalls, caveats, etc. Thanks. -Garett

REST and SOAP aren't the same kind of thing. It's common to act like they're
opposites, but they aren't. REST is a style of expressing interfaces to
resources and SOAP is an application protocol. Very different things. HTTP,
of course, is an application protocol as well.

SAML has its own protocols expressed as XML messages and those protocols in
turn can be bound/encoded into transport protocols, often by tunnelling the
SAML protocol insde another application protocol as a transport, as SOAP
typically does to HTTP.

The only bindings defined by the SSTC involve SOAP 1.1 and various bindings
that tunnel across HTTP with the user agent as the intermediary.

It is very possible to tunnel SAML inside raw HTTP in place of using SOAP,
but this isn't "REST". The data is still solely in the body and is just XML.
The SOAP doesn't add anything by itself, but getting rid of it also doesn't
buy much, and loses access to all the new WSS stuff that is needed for more
complex security interactions.

There is some interest in some quarters in binding SAML protocol to some
more compact query string representation, but in all honesty, I think it's
pointless. The real problem, if there is one, is not the XML. It's the
signing. We need a simpler signing mechanism for people without XMLSig
implementations, somewhat like the signing rules for the HTTP Redirect
Binding.

Or, I suppose, somebody could explain how awful XML Signature is to
implement to the W3C, but I'm not holding my breath.

-- Scott