SAML and Liberty

Date:      Wed, 17 Jul 2002 16:32:09 -0700
From:      Jeff Hodges <Jeff.Hodges@sun.com>
To:        oasis sstc <security-services@lists.oasis-open.org>
Subject:   [security-services] SAML and Liberty

As most everyone knows now, the Liberty Alliance Project announced their version 1.0 specs on Mon 15-Jul-2002 (at Catalyst). Relevant web pages:

Liberty Alliance Project
http://www.projectliberty.org/

Liberty Alliance Version 1.0 Specification Set
http://www.projectliberty.org/specs/liberty-specifications-v1.0.zip

consisting of...

Liberty Architecture Overview
Liberty Architecture Implementation Guidelines
Liberty Authentication Context Specification
Liberty Bindings and Profiles Specification
Liberty Protocols and Schemas Specification
Liberty Technical Glossary

The Liberty specs build directly on SAML, via both XML schema extensions, and new protocols & profiles. The key technical builds are, in summary:

explicit nameIdentifier exchange (identity federation),
semantically rich, extended AuthnRequest (supports wider range of user experiences),
new SSO profiles supporting mobile devices,
bilateral operational agreement between sites supported by provider metadata schema,
Authentication Context schema (provides richer authn context than <saml:AuthenticationMethod> identifiers),
introduction protocol (common domain & cookie),
single logout protocol & profiles (completes the SSO picture).

Having our specs built upon by this group is a solid vote of confidence in the work we have accomplished here, especially given the breadth of involvement in Liberty. We should all take pride in this -- as well as the success of the SAML Interop demo at Catalyst -- both of which demonstrate SAML has "traction" and is a solid foundation for vendors and deployers to build upon. Thanks to all of you for all of your hard work over the past 1.5+ years.

SAML folk should take a close look at the Liberty specs and think about what portions would make sense to leverage/adopt in the SAML context. Liberty hasn't yet officially announced the long-term lifecycle of its specs, and there is opportunity for providing input (no guarantees on outcome, tho, of course). For example, the Authentication Context spec is pretty orthogonal and is something that folks will perhaps be continually adding to -- is there any interest in taking it on, and having it live in the SSTC or perhaps it's own TC? The SSTC was, early on, working on session management -- is the Liberty Single Logout protocol and profiles something that would fit in that draft framework? We should consider these questions in the general context of thinking about what's next in the larger sense for the SSTC (e.g., SAML 2.0).

Some disclosure:

I am a Liberty contributor and am the editor of the Liberty Architecture Overview, and Jason Rouault, another SAML participant, is the editor of the Liberty Bindings and Profiles Spec.

I am quite pleased to finally be able to disclose this, and am looking forward to doing some "liaising" between SSTC/SAML and Liberty.

JeffH

Prepared by Robin Cover for The XML Cover Pages archive. See: (1) details in the 2002-07-16 news item "Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization."; (2) "Security Assertion Markup Language (SAML)."

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	SAML and Liberty Date: Wed, 17 Jul 2002 16:32:09 -0700 From: Jeff Hodges <Jeff.Hodges@sun.com> To: oasis sstc <security-services@lists.oasis-open.org> Subject: [security-services] SAML and Liberty As most everyone knows now, the Liberty Alliance Project announced their version 1.0 specs on Mon 15-Jul-2002 (at Catalyst). Relevant web pages: Liberty Alliance Project http://www.projectliberty.org/ Liberty Alliance Version 1.0 Specification Set http://www.projectliberty.org/specs/liberty-specifications-v1.0.zip consisting of... Liberty Architecture Overview Liberty Architecture Implementation Guidelines Liberty Authentication Context Specification Liberty Bindings and Profiles Specification Liberty Protocols and Schemas Specification Liberty Technical Glossary The Liberty specs build directly on SAML, via both XML schema extensions, and new protocols & profiles. The key technical builds are, in summary: explicit nameIdentifier exchange (identity federation), semantically rich, extended AuthnRequest (supports wider range of user experiences), new SSO profiles supporting mobile devices, bilateral operational agreement between sites supported by provider metadata schema, Authentication Context schema (provides richer authn context than <saml:AuthenticationMethod> identifiers), introduction protocol (common domain & cookie), single logout protocol & profiles (completes the SSO picture). Having our specs built upon by this group is a solid vote of confidence in the work we have accomplished here, especially given the breadth of involvement in Liberty. We should all take pride in this -- as well as the success of the SAML Interop demo at Catalyst -- both of which demonstrate SAML has "traction" and is a solid foundation for vendors and deployers to build upon. Thanks to all of you for all of your hard work over the past 1.5+ years. SAML folk should take a close look at the Liberty specs and think about what portions would make sense to leverage/adopt in the SAML context. Liberty hasn't yet officially announced the long-term lifecycle of its specs, and there is opportunity for providing input (no guarantees on outcome, tho, of course). For example, the Authentication Context spec is pretty orthogonal and is something that folks will perhaps be continually adding to -- is there any interest in taking it on, and having it live in the SSTC or perhaps it's own TC? The SSTC was, early on, working on session management -- is the Liberty Single Logout protocol and profiles something that would fit in that draft framework? We should consider these questions in the general context of thinking about what's next in the larger sense for the SSTC (e.g., SAML 2.0). Some disclosure: I am a Liberty contributor and am the editor of the Liberty Architecture Overview, and Jason Rouault, another SAML participant, is the editor of the Liberty Bindings and Profiles Spec. I am quite pleased to finally be able to disclose this, and am looking forward to doing some "liaising" between SSTC/SAML and Liberty. JeffH Prepared by Robin Cover for The XML Cover Pages archive. See: (1) details in the 2002-07-16 news item "Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization."; (2) "Security Assertion Markup Language (SAML)."