shibboleth-dev - Re: [tf-emc2] SAML 2.0 vs SAML 1.1 - AuthZ use case
Subject: Shibboleth Developers
List archive
- From: "RL 'Bob' Morgan" <>
- To: Yuri Demchenko <>
- Cc: TF-EMC2 <>, Shibboleth Dev Team <>
- Subject: Re: [tf-emc2] SAML 2.0 vs SAML 1.1 - AuthZ use case
- Date: Tue, 11 Jan 2005 12:44:24 -0800 (PST)
Yuri:
Ken or somebody, can you update about planned milestones for the OpenSAML 2.0? Or any other (open) SAML 2.0 implementations?
I don't think we have any announced milestones. Now that the SAML 2.0 spec is done, work can proceed on adding SAML 2.0 support to opensaml and to Shib, but at the moment the priority is a next release (1.3) that will still use SAML 1.1 (and 1.0 even, for US Fed e-auth interop). I think the plan is to have some SAML 2.0 support available for use from CVS so folks who want to build on it can start testing. I'm sure Scott can provide more info.
I think you've got the right idea here, but let me wring my hands about adding SAML 2.0 features piecemeal to opensaml 1.x. Obviously research is research, but this is definitely a bad thing to do for software that will be widely deployed, especially if it will be open-sourced. There is a long sad history of "protocol version 1.5" things out in the world (I can show you megabytes of mail on the pain this has caused in LDAP space) that cause enormous confusion among implementors and deployers. Some of this will happen no matter what, but let's not make it worse. <end lecture />
Regarding your interest in the AuthorizationDecision stuff, as you're probably aware there is no use of this in Shib; the minimal support that's there in opensaml 1.x was contributed by someone else. So we'd appreciate your contributions (8^) for 2.0 support.
- RL "Bob"
On Fri, 7 Jan 2005, Yuri Demchenko wrote:
Hi TF-EMC2 and Ken,
After first attempts to use SAML for our AuthZ services and, in
particular, for generating AuthzTicket based on XACML based
Request/Response sequence, we came to the conclusion about benefits of
SAML 2.0 against previous version SAML 1.1.
See some notes about SAML 2.0 vs SAML 1.1 features at the end of message.
For our experiments and prototype, we made some very limited extension
of currently available OpenSAML 1.0.1 to support SAML 2.0 Assertions
format just to satisfy our requirements to mentioned above AuthzTicket
format.
Additionally, we added also special SAML20XACMLAuthzDecisionStatement
class to support XACML based SAML Authorisation Assertion.
Our current development is targeted for Open Collaborative Environment
(OCE) and Grid applications and provides further steps in development and integration of the generic AAA Architecture with Web Services.
So, now we are waiting for promised by Internet2 OpenSAML upgrade to
SAML version 2.0.
QUESTION:
Ken or somebody, can you update about planned milestones for the OpenSAML 2.0? Or any other (open) SAML 2.0 implementations?
Also if there is an interest from the TF-EMC2, I can provide more
information and also our test samples.
I'll appreciate any information and suggestions about SAML 2.0 vs SAML 1.1 migration.
Regards,
Yuri
--------------------
SAML 2.0 vs SAML 1.1 - AuthZ use case
Recently published SAML 2.0 specification provides even better
security and improved functionality comparing to SAML 1.1:
1) features improving SAML security (via better integrity and secure
context management):
- Issuer element is now obligatory top level element under root
element <Assertion>, it is moved from the attribute in <Assertion>
element
- <Subject> element is an (optional) top element and it is removed
from the (Authn/Authz/Attribute)Statement elements as in SAML 1.1
- main sensitive elements Subject/NameID, Advice/Assertion,
AttributeStatement/Assertion now have an option of encrypted elements
correspondingly EncryptedID, EncryptedAssertion, EncryptedAttribute
2) better flexibility in secure context management:
- added new conditions OneTimeUse and ProxyRestriction instead of old
DoNotCacheCondition
- Assertions in Advice and AuthzDecisionStatement now can be
referenced by also AssertionURIRef in addition to previous
AssertionIDRef only
- old element AuthorityBinding in SAML 1.1 is replaced now with new
element AuthnContext that includes AuthnContextClassRef,
AuthnContextDecl, AuthnContextDeclRef, or AuthenticatingAuthority
3) number of special AuthN context profiles are defined including
X.509, Kerberos, PGP, XMLdsig, SSL, IP, Smartcard, mobile telephony,
timesynch, etc.
4) XACML based AuthZ profile is defined by introducing elements
XACMLAuthzDecisionStatement/Query, XACMLPolicyStatement/Query
- Re: [tf-emc2] SAML 2.0 vs SAML 1.1 - AuthZ use case, RL 'Bob' Morgan, 01/11/2005
- Re: [tf-emc2] SAML 2.0 vs SAML 1.1 - AuthZ use case, Steven_Carmody, 01/13/2005
- Message not available
- Re: [tf-emc2] SAML 2.0 vs SAML 1.1 - AuthZ use case, Steven_Carmody, 01/19/2005
Archive powered by MHonArc 2.6.16.