Friday, December 14, 2007

OASIS Public Review of five (old) SAML Specifications

pencil icon, that"s clickable to start editing the post

The OASIS Security Services (SAML) TC has started a Public Review of SAML Specifications that ends on 9 February 2008. The five specifications are:

  • SAMLv2.0 HTTP POST "SimpleSign" Binding [HTML]

    This specification defines a SAML HTTP protocol binding, specifically using the HTTP POST method, and not using XML Digital Signature for SAML message data origination authentication. Rather, a “sign the BLOB” technique is employed wherein a conveyed SAML message is treated as a simple octet string if it is signed. Conveyed SAML assertions may be individually signed using XMLdsig. Security is optional in this binding.

  • Identity Provider Discovery Service Protocol and Profile [HTML]

    Defines a generic browser-based protocol by which a centralized discovery service implemented independently of a given service provider can provide a requesting service provider with the unique identifier of an identity provider that can authenticate a principal.

  • SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems [HTML]

    This deployment profile specifies the use of SAML V2.0 attribute queries and assertions to support distributed authorization in support of X.509-based authentication.

  • SAML V2.0 Deployment Profiles for X.509 Subjects [HTML]

    This related set of SAML V2.0 deployment profiles specifies how a principal who has been issued an X.509 identity certificate is represented as a SAML Subject, how an assertion regarding such a principal is produced and consumed, and finally how two entities exchange attributes about such a principal.

  • SAML V2.0 LDAP/X.500 Attribute Profile [HTML]

    This profile is a replacement for the X.500/LDAP Attribute Profile found in the original SAML 2.0 Profiles specification [SAML2Prof]. The original profile results in well-formed but schema-invalid XML and cannot be corrected without a normative change.

I've never figured out why these announcements never mention what happens after the hearing is over, especially when the specifications are expected to become an OASIS standard. I can understand that in potentially someone could make a substantial comment that would require another round with the committee, but in general it seems like these specifications follow a slow by sure flow, so why not write something like this is the final review and afterwards they are expected to become standards in ex. April. Maybe they think that readers/reviews know the OASIS process by heart (we don't), they do not have a clue when specifications will finally become standards or they're afraid to promise anything (due to hard earned lessons).

Back in July I looked at the last one in my post: "New SAML V2.0 X.500/LDAP Attribute Profile". The version I wrote about was the Committee Draft 01, 19 December 2006 which is just about a year ago from now. I just did a quick comparison between the two odt versions and it didn't look like it had undergone any significant technical changes, just a couple of textual corrections and the right intro with references. Based on this observation is sort of sad that it still isn't final, but maybe most for the writer (Scott Cantor) since the demand for attribute profiles looks low (Who needs SAML V2.0 Attribute profiles?).

I haven't had time to look at the other specifications but maybe the new year will change that.