Security/identity · 2006-05-03

SAML, lightly

I hosted a session yesterday on “Lightweight SAML and Liberty” at the Internet Identity Workshop. You can find the notes here. I thought it was interesting that there wasn’t a lot of “religion” about issues such as the use of XML Signature: a brute-force solution such as providing an API that abstracts away from having to know it seemed about as popular as removing it entirely somehow (e.g., by writing an alternate POST binding). For completeness in exploring the solution space, I tried suggesting that signing be removed entirely — and got snorts of derision, which is pretty much what I was expecting to hear. Whew! I will definitely be following up on what I learned from this session.

For people who aren’t familiar with the various SAML outrearch sources, it may be helpful to know that there’s a very short Executive Overview, a draft Technical Overview (we could really use input on how to improve this — drop me a line with ideas), a bunch of slide sets (all linked from the main SAML committee page), a developers’ mailing list called saml-dev (subscribe, archive), a FAQ (I need to update sometime soon, using questions raised on saml-dev), and more.

Technorati tag: iiw2006