Shibboleth Developers

["RL 'Bob' Morgan" <>]

Yuri:

> Ken or somebody, can you update about planned milestones for the 
> OpenSAML 2.0? Or any other (open) SAML 2.0 implementations?

I don't think we have any announced milestones.  Now that the SAML 2.0 
spec is done, work can proceed on adding SAML 2.0 support to opensaml and 
to Shib, but at the moment the priority is a next release (1.3) that will 
still use SAML 1.1 (and 1.0 even, for US Fed e-auth interop).  I think the 
plan is to have some SAML 2.0 support available for use from CVS so folks 
who want to build on it can start testing.  I'm sure Scott can provide 
more info.

I think you've got the right idea here, but let me wring my hands about 
adding SAML 2.0 features piecemeal to opensaml 1.x.  Obviously research is 
research, but this is definitely a bad thing to do for software that will 
be widely deployed, especially if it will be open-sourced.  There is a 
long sad history of "protocol version 1.5" things out in the world (I can 
show you megabytes of mail on the pain this has caused in LDAP space) that 
cause enormous confusion among implementors and deployers.  Some of this 
will happen no matter what, but let's not make it worse. <end lecture />

Regarding your interest in the AuthorizationDecision stuff, as you're 
probably aware there is no use of this in Shib; the minimal support that's 
there in opensaml 1.x was contributed by someone else.  So we'd appreciate 
your contributions (8^) for 2.0 support.

 - RL "Bob"

On Fri, 7 Jan 2005, Yuri Demchenko wrote:

> Hi TF-EMC2 and Ken,
>
> After first attempts to use SAML for our AuthZ services and, in
> particular, for generating AuthzTicket based on XACML based
> Request/Response sequence, we came to the conclusion about benefits of
> SAML 2.0 against previous version SAML 1.1.
>
> See some notes about SAML 2.0 vs SAML 1.1 features at the end of message.
>
> For our experiments and prototype, we made some very limited extension
> of currently available OpenSAML 1.0.1 to support SAML 2.0 Assertions
> format just to satisfy our requirements to mentioned above AuthzTicket
> format.
>
> Additionally, we added also special SAML20XACMLAuthzDecisionStatement
> class to support XACML based SAML Authorisation Assertion.
>
> Our current development is targeted for Open Collaborative Environment
> (OCE) and Grid applications and provides further steps in development and 
> integration of the generic AAA Architecture with Web Services.
>
> So, now we are waiting for promised by Internet2 OpenSAML upgrade to
> SAML version 2.0.
>
> QUESTION:
> Ken or somebody, can you update about planned milestones for the OpenSAML 
> 2.0? Or any other (open) SAML 2.0 implementations?
>
> Also if there is an interest from the TF-EMC2, I can provide more
> information and also our test samples.
>
> I'll appreciate any information and suggestions about SAML 2.0 vs SAML 1.1 
> migration.
>
> Regards,
>
> Yuri
>
> --------------------
>
> SAML 2.0 vs SAML 1.1 - AuthZ use case
>
> Recently published SAML 2.0 specification provides even better
> security and improved functionality comparing to SAML 1.1:
>
> 1) features improving SAML security (via better integrity and secure
> context management):
>
> - Issuer element is now obligatory top level element under root
> element <Assertion>, it is moved from the attribute in <Assertion>
> element
>
> - <Subject> element is an (optional) top element and it is removed
> from the (Authn/Authz/Attribute)Statement elements as in SAML 1.1
>
> - main sensitive elements Subject/NameID, Advice/Assertion,
> AttributeStatement/Assertion now have an option of encrypted elements
> correspondingly EncryptedID, EncryptedAssertion, EncryptedAttribute
>
>
> 2) better flexibility in secure context management:
>
> - added new conditions OneTimeUse and ProxyRestriction instead of old
> DoNotCacheCondition
>
> - Assertions in Advice and AuthzDecisionStatement now can be
> referenced by also AssertionURIRef in addition to previous
> AssertionIDRef only
>
> - old element AuthorityBinding in SAML 1.1 is replaced now with new
> element AuthnContext that includes AuthnContextClassRef,
> AuthnContextDecl, AuthnContextDeclRef, or AuthenticatingAuthority
>
>
> 3) number of special AuthN context profiles are defined including
> X.509, Kerberos, PGP, XMLdsig, SSL, IP, Smartcard, mobile telephony,
> timesynch, etc.
>
>
> 4) XACML based AuthZ profile is defined by introducing elements
> XACMLAuthzDecisionStatement/Query, XACMLPolicyStatement/Query