SAML and Liberty
Date: Wed, 17 Jul 2002 16:32:09 -0700 From: Jeff Hodges <Jeff.Hodges@sun.com> To: oasis sstc <security-services@lists.oasis-open.org> Subject: [security-services] SAML and Liberty
As most everyone knows now, the Liberty Alliance Project announced their version 1.0 specs on Mon 15-Jul-2002 (at Catalyst). Relevant web pages:
Liberty Alliance Project
http://www.projectliberty.org/
Liberty Alliance Version 1.0 Specification Set
http://www.projectliberty.org/specs/liberty-specifications-v1.0.zip
consisting of...
- Liberty Architecture Overview
- Liberty Architecture Implementation Guidelines
- Liberty Authentication Context Specification
- Liberty Bindings and Profiles Specification
- Liberty Protocols and Schemas Specification
- Liberty Technical Glossary
The Liberty specs build directly on SAML, via both XML schema extensions, and new protocols & profiles. The key technical builds are, in summary:
explicit nameIdentifier exchange (identity federation),
semantically rich, extended AuthnRequest (supports wider range of user experiences),
new SSO profiles supporting mobile devices,
bilateral operational agreement between sites supported by provider metadata schema,
Authentication Context schema (provides richer authn context than <saml:AuthenticationMethod> identifiers),
introduction protocol (common domain & cookie),
single logout protocol & profiles (completes the SSO picture).
Having our specs built upon by this group is a solid vote of confidence in the work we have accomplished here, especially given the breadth of involvement in Liberty. We should all take pride in this -- as well as the success of the SAML Interop demo at Catalyst -- both of which demonstrate SAML has "traction" and is a solid foundation for vendors and deployers to build upon. Thanks to all of you for all of your hard work over the past 1.5+ years.
SAML folk should take a close look at the Liberty specs and think about what portions would make sense to leverage/adopt in the SAML context. Liberty hasn't yet officially announced the long-term lifecycle of its specs, and there is opportunity for providing input (no guarantees on outcome, tho, of course). For example, the Authentication Context spec is pretty orthogonal and is something that folks will perhaps be continually adding to -- is there any interest in taking it on, and having it live in the SSTC or perhaps it's own TC? The SSTC was, early on, working on session management -- is the Liberty Single Logout protocol and profiles something that would fit in that draft framework? We should consider these questions in the general context of thinking about what's next in the larger sense for the SSTC (e.g., SAML 2.0).
Some disclosure:
I am a Liberty contributor and am the editor of the Liberty Architecture Overview, and Jason Rouault, another SAML participant, is the editor of the Liberty Bindings and Profiles Spec.
I am quite pleased to finally be able to disclose this, and am looking forward to doing some "liaising" between SSTC/SAML and Liberty.
JeffH
Prepared by Robin Cover for The XML Cover Pages archive. See: (1) details in the 2002-07-16 news item "Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization."; (2) "Security Assertion Markup Language (SAML)."