Jeff Hodges and Scott Cantor have been busy bees. They just published a draft of a new HTTP POST binding for SAML, called NoXMLdsig, that (surprise, surprise) eliminates the need for XML Signature. Its abstract reads:
This specification defines a SAML HTTP protocol binding, specifically using the HTTP POST method, and not using XML Digital Signature for SAML message and/or SAML assertion data origination authentication. Rather, a “sign the BLOB” technique is employed wherein a conveyed SAML message, along with any content (e.g. SAML assertions) is treated as a simple octet string if it is signed. Security is optional in this binding.
If you’ve got comments, let ’em know!
