It’s time again for a SAML Up-Date. (I’m picturing a Brian Pinhead type reading this aloud…)
Two recent messages to the Security Services Technical Committee list bear interesting news:
First, Rob Philpott of RSA, esteemed former co-chair of the SSTC, announces that RSA’s patent licensing situation has become entirely implicit, with implementors no longer asked to take any action at all to request a royalty-free license — not even filling in a web form, which was how things stood before. The OASIS IPR page isn’t quite updated yet with this new information (I’ll update with a link when it is) but Rob’s message contains the new IPR statement from RSA, so you should go and take a look.
Second, Mary McRae of OASIS announces that the SSTC has put forward a series of Committee Drafts for a month-long public review; you can send your comments using this form. This bunch of specs is what the TC thinks of as “post-V2.0” SAML profiles and extensions, and they’re intended to add interoperability for common use cases based on further deployment experience. (There are all sorts of extensions and profiles, some entirely private, being created and used by various people; the TC chooses to work on those that seem generally useful.)
The specs are as follows:
- Metadata Profile for the OASIS Security Assertion Markup Language (SAML) (PDF, HTML, OpenDocument, associated schema)
- SAML Attribute Sharing Profile for X.509 Authentication-Based Systems (PDF, HTML, OpenDocument)
- SAML XPath Attribute Profile (PDF, HTML, OpenDocument, associated schema)
- SAML Metadata Extension for Query Requesters (PDF, HTML, OpenDocument, associated schema)
- SAML Protocol Extension for Third-Party Requests (PDF, HTML, OpenDocument)
To highlight just one of these, the SAML XPath Attribute Profile “defines an attribute profile for SAML V2.0 using XPath V1.0 for attribute names. It lets SAML attribute authorities map XML documents, associated with a user, into SAML attributes. In particular, this profile enables attribute authorities to map Liberty Alliance data services into SAML attributes. XPath attributes can then be queried, asserted, and published in metadata.” Liberty defines something called the Data Services Template or DST, which provides protocol boilerplate “for the query and modification of data attributes exposed by a data service”, which is one of the key use cases that come up in personal profile attribute-sharing scenarios and many others. Basically, this little SAML profile allows you to construct SAML-flavored attribute constructs out of arbitrary XML content by using an XPath expression as the attribute name, which is extremely useful not only in the Liberty DST case but in general.
So check ’em all out!
UP-DATE to the UP-DATE: Jeff Hodges, another esteemed former co-chair of the SSTC, comments further on the positive RSA IPR news. He also notes Google’s SAML-based single sign-on in their search appliance product. To me, Google’s usage of SAML looks remarkably robust, and their SPI documentation can function as another handy entry point into understanding how to do this stuff.