On April 19, 2002 the OASIS XML-Based Security Services Technical Committee (SSTC) released several SAML specifications which have reached 'Committee Specification' maturity level. The TC plans to submit the SAML specification for approval as an OASIS Standard in the July-September 2002 timeframe. The OASIS TC has been chartered to "define an XML framework for exchanging authentication and authorization information" and previously published working drafts for the Security Assertion Markup Language (SAML). Using industry-standard protocols and messaging frameworks, SAML "is an important element in the security technology stack; it makes use of XML digital signatures and XML encryption." In SAML, "security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes." The new Committee Specification deliverables include: (1) SAML Assertions and Protocol, with separate XML Assertion Schema and XML Protocol Schema; (2) SAML Bindings and Profiles; (3) SAML Security and Privacy Considerations [non-normative]; (4) SAML Conformance Program Specification; (5) SAML Glossary.
From the SSTC charter: "The purpose of the XML-Based Security Services TC (SSTC) is to define an XML framework for exchanging authentication and authorization information. The SSTC will produce set of one or more Committee Specifications that cover use cases and requirements, core assertions, protocols, bindings, and a conformance suite, all of the aforementioned to be examined with respect to security considerations. The work will take the S2ML specification and the intended submission of AuthXML, along with any other relevant and timely submissions, into consideration..."
SAML 'Committee Specification' maturity level documents for review:
"Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)." Edited by Phillip Hallam-Baker (VeriSign) and Eve Maler (Sun Microsystems). For the OASIS XML-Based Security Services Technical Committee (SSTC) Maturity level: Committee Specification. Publication date: 19-April-2002. Reference: cs-sstc-core-00. 54 pages. "This specification defines the syntax and semantics for XML-encoded SAML assertions, protocol requests, and protocol responses. These constructs are typically embedded in other structures for transport, such as HTTP form POSTs and XML-encoded SOAP messages. The SAML specification for bindings and profiles provides frameworks for this embedding and transport. Files containing just the SAML assertion schema and protocol schema are available... The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes. Note that assertions containing authentication statements merely describe acts of authentication that happened previously. Assertions are issued by SAML authorities, namely, authentication authorities, attribute authorities, and policy decision points. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding, to SOAP over HTTP. SAML authorities can use various sources of information, such as external policy stores and assertions that were received as input in requests, in creating their responses. Thus, while clients always consume assertions, SAML authorities can be both producers and consumers of assertions..." [alt source, Word/.DOC]
SAML Assertion and Protocol Schemas:
"Bindings and Profiles for the OASIS Security Assertion Markup Language." Edited by Prateek Mishra (Netegrity). Publication date: 19-April-2002. Reference: cs-sstc-bindings-00. 33 pages. "Mappings from SAML request-response message exchanges into standard messaging or communication protocols are called SAML protocol bindings (or just bindings). An instance of mapping SAML request-response message exchanges into a specific protocol <FOO> is termed a <FOO> binding for SAML or a SAML <FOO> binding. For example, an HTTP binding for SAML describes how SAML request and response message exchanges are mapped into HTTP message exchanges. A SAML SOAP binding describes how SAML request and response message exchanges are mapped into SOAP message exchanges. Sets of rules describing how to embed and extract SAML assertions into a framework or protocol are called profiles of SAML. A profile describes how SAML assertions are embedded in or combined with other objects (for example, files of various types, or protocol data units of communication protocols) by an originating party, communicated from the originating site to a destination, and subsequently processed at the destination. A particular set of rules for embedding SAML assertions into and extracting them from a specific class of <FOO> objects is termed a <FOO> profile of SAML. For example, a SOAP profile of SAML describes how SAML assertions can be added to SOAP messages, how SOAP headers are affected by SAML assertions, and how SAML-related error states should be reflected in SOAP messages..."
"Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML)." Edited by Chris McLaren (Netegrity). Publication date: 19-April-2002. Reference: cs-sstc-sec-consider-00. 25 pages. "This non-normative document describes and analyzes the security and privacy properties of the OASIS Security Assertion Markup Language (SAML) defined in the core SAML specification [SAMLCore] and the SAML specification for bindings and profiles [SAMLBind]. The intent in this document is to provide input to the design of SAML, and to provide information to architects, implementors, and reviewers of SAML-based systems about the following: (1) The threats, and thus security risks, to which a SAML-based system is subject; (2) The security risks the SAML architecture addresses, and how it does so; (3) The security risks it does not address; (4) Recommendations for countermeasures that mitigate those risks... Privacy: "SAML includes the ability to make statements about the attributes and authorizations of authenticated entities. There are very many common situations in which the information carried in these statements is something that one or more of the parties to a communication would desire to keep accessible to as restricted as possible a set of entities. Statements of medical or financial attributes are simple examples of such cases. Parties making statements, issuing assertions, conveying assertions, and consuming assertions must be aware of these potential privacy concerns and should attempt to address them in their implementations of SAML-aware systems." Security: "Communication between computer-based systems is subject to a variety of threats, and these threats carry some level of associated risk. The nature of the risk depends on a host of factors, including the nature of the communications, the nature of the communicating systems, the communication mediums, the communication environment, the end-system environments, and so on. Section 3 of the IETF guidelines on writing security considerations for RFCs provides an overview of threats inherent in the Internet (and, by implication, intranets). SAML is intended to aid deployers in establishing security contexts for application-level computer-based communications within or between security domains. By serving in this role, SAML addresses the 'endpoint authentication' aspect (in part, at least) of communications security, and also the 'unauthorized usage' aspect of systems security. Communications security is directly applicable to the design of SAML. Systems security is of interest mostly in the context of SAML's threat models. Section 2 of the IETF guidelines gives an overview of communications security and systems security..."
"Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML)." Edited by Robert Griffin (Entrust) and Eve Maler (Sun Microsystems). Publication date: 19-April-2002. Reference: cs-sstc-conform-00. 21 pages. "This document describes the program and technical requirements for the SAML conformance system... SAML deals with a rich set of functionalities ranging from authentication assertions to assertions for policy enforcement. Not all software might choose to implement all the SAML specifications. In order to achieve compatibility and interoperability, applications and software need to be certified for conformance in a uniform manner. The SAML conformance effort aims at fulfilling this need. The deliverables of the SAML conformance effort include: (1) Conformance Clause, defining at a high-level what conformance means for the SAML standard; (2) Conformance Program specification, defining how an implementation or application establishes conformance; (3) Conformance Test Suite. This is a set of test programs, result files and report generation tools that can be used by vendors of SAML-compliant software, buyers interested in confirming SAML compliance of software, and testing labs running conformance tests on behalf of vendors or buyers..."
"Glossary for the OASIS Security Assertion Markup Language (SAML)." Edited by Jeff Hodges (Sun Microsystems) and Eve Maler (Sun Microsystems). Publication date: 19-April-2002. Reference: cs-sstc-glossary-00. 13 pages. "This normative document defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents. Some definitions are derived directly from external sources (referenced in an appendix), some definitions based on external sources have been substantively modified to fit the SAML context, and some are newly developed for SAML. Please refer to the external sources for definitions of terms not explicitly defined here. Some definitions have multiple senses provided. They are denoted by '(a)', '(b)', and so on. References to terms defined elsewhere in this glossary are italicized..."