Transcript OASIS: Integrating Standards for Web Services, Business

SAML New Features and
Standardization Status
Prepared for ITU-T by
Hal Lockhart
Oracle
September 17, 2009
Status Overview



SAML 2.0 - OASIS Standard - March 2005
ITU-T Rec. X.1141 – June 2006
Work since 2005 has consisted of defining
additional Profiles


2 Oasis Standards [noted as “(OS)”]
15 Committee Specifications



XSPA Profile submitted for Oasis Standard vote
1 Committee Draft [noted as “(CD)”]
Errata & Updated Technical Overview
Post 2.0 Profiles by Category
Metadata

Metadata Profile for SAML V1.x (OS)


Metadata Extension for SAML V2.0 and
V1.x Query Requesters (OS)


Metadata associated with queries
Metadata Extension for Entity Attributes


Using metadata with prior versions
Metadata about Subjects and Attributes
Metadata Interoperability Profile
Post 2.0 Profiles by Category
Attributes

SAML V2.0 Attribute Extensions



Defines additional attribute properties
Will be added to as needed
Attribute Sharing Profile for X.509
Authentication-Based Systems


Attribute queries for X.509 Attributes
Subject DN is lookup key
Post 2.0 Profiles by Category
Holder of Key

Holder-of-Key Assertion Profile


How to use X.509 with SAML Assertions
Holder-of-Key Web Browser SSO Profile



Uses TLS and an off the shelf browser
Enables SAML capabilities by
cryptographically secure means
Additional attributes may be provided
Post 2.0 Profiles by Category
Deployment

Subject-based Profiles for SAML V1.1
Assertions


Enables mixed SAML 2.0 & 1.x deployments
Deployment Profiles for X.509 Subjects

Enables interoperability in X.509
environments
Post 2.0 Profiles by Category
New Protocols

Identity Provider Discovery Service
Protocol


Alternative to the IDP discovery protocol in
SAML 2.0
Protocol Extension for Third-Party
Requests

Request to send Assertion to a 3rd Party
Post 2.0 Profiles by Category
Authentication Context

Protocol Extension for Requested
Authentication Context


Shared Credentials Authentication Context
Extension


More flexible queries for AuthN Context
Adds ability to distinguish shared credentials
Text-Based Challenge/Response Token
Authentication Context

Additional AuthN Context definitions
Post 2.0 Profiles by Category
Other

Cross-Enterprise Security and Privacy
Authorization (XSPA) Profile


X.500/LDAP Attribute Profile


Attribute definitions for Healthcare
Fixes bug in SAML 2.0
HTTP POST “SimpleSign” Binding (CD)

Defines an easier to implement signature
Errata and Non-normative

Approved Errata


Official under OASIS TC process
SAML 2.0 Technical Overview


Greatly improved
Many diagrams, usecases, etc.
Projected Status - Spring 2010

Likely OASIS Standards





Metadata Profile for SAML 1.x
Metadata Extension for SAML V2.0 and V1.x
Query Requesters
XSPA Profile (Healthcare)
Approved Errata
Other specifications generally awaiting
implementations