Shibboleth Developers

[<>]

I like the HoK stuff in theory, but I do have a usability concern:

It is somewhat unclear how user friendly this approach would be with current 
browsers and key stores in desktop environments.  For the moment, I'll 
exclude the case where a user has a single certificate, which they always use 
transparently (perhaps this is the primary intended use case, but within my 
domain, I do not expect it to be typical).  This profile requires users to 
select the correct certificate when they authenticate to their IDP, and then 
to specify that same certificate again seconds later when they authenticate 
to the SP.  I feel like the natural reaction to being "re-prompted" for a 
certificate is to think "I selected the wrong certificate, let me pick the 
other one." And of course if the user behaves like this, the SSO event fails, 
and the user is likely dumped to a SAML error message that might leave them 
frustrated and confused.

Is there an aspect of TLS client certificate handshakes that I don't 
understand that would help prevent the above scenario, because my gut 
instinct is that the above scenario might be common enough to preclude 
adoption.

________________________________________
From: Scott Cantor 
[]
Sent: Thursday, March 26, 2009 7:57 PM
To: 

Subject: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles

Just FYI, there are a number of SAML extensions and profiles entering public 
review, most of which are from either the Shibboleth project or from related 
activities, and most of which are likely to show up in future versions or 
third party work.

-- Scott


-----Original Message-----
From: Mary McRae 
[mailto:]
Sent: Thursday, March 26, 2009 7:28 PM
To: 
;
 

Cc: 
;
 

Subject: [security-services] Public Review of SAML 2.0 Profiles

To OASIS members, Public Announce Lists:

The OASIS Security Services TC has recently approved the following six
(6) specifications as Committee Drafts and approved the package for
public review:

SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0
SAML V2.0 Attribute Extensions Version 1.0
SAML V2.0 Condition for Delegation Restriction Version 1.0
SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
SAML V2.0 Metadata Interoperability Profile Version 1.0

The public review starts today, 26 March 2009, and ends 25 May 2009.
This is an open invitation to comment. We strongly encourage feedback
from potential users, developers and others, whether OASIS members or
not, for the sake of improving the interoperability and quality of
OASIS work. Please feel free to distribute this announcement within
your organization and to other appropriate mail lists.

More non-normative information about the specification and the
technical committee may be found at the public home page of the TC at:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
Comments may be submitted to the TC by any person through the use of
the OASIS TC Comment Facility which can be located via the button
marked "Send A Comment" at the top of that page, or directly at:
http://www.oasis-open.org/committees/comments/index.php?wg_abbrev=security
.

Submitted comments (for this work as well as other works of that TC)
are publicly archived and can be viewed at:
http://lists.oasis-open.org/archives/security-comment/. All comments
submitted to OASIS are subject to the OASIS Feedback License, which
ensures that the feedback you provide carries the same obligations at
least as the obligations of the TC members.

The specification document and related files are available here:

1. SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cd-01.html

Schema:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.xsd

-----

2. SAML V2.0 Attribute Extensions Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-ext-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-ext-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-ext-cd-01.html

Schema:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-ext.xsd

-----

3. SAML V2.0 Condition for Delegation Restriction Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation-cd-01.html

-----

4. SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cd-01.html

-----

5. SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cd-01.html

Schema:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.xsd

-----

6. SAML V2.0 Metadata Interoperability Profile Version 1.0
Editable Source:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.odt

PDF:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf

HTML:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.html


OASIS and the [tcname] TC welcome your comments.


Mary P McRae
Director, Technical Committee Administration
OASIS: Advancing open standards for the information society
email: 

web: www.oasis-open.org
twitter: fiberartisan
phone: 1.603.232.9090