SAML New Features and Standardization Status

1
SAML New Features and Standardization Status

• Prepared for ITU-T by
• Hal LockhartOracleSeptember 17, 2009

2
Status Overview

• SAML 2.0 - OASIS Standard - March 2005
• ITU-T Rec. X.1141 June 2006
• Work since 2005 has consisted of defining
  additional Profiles
• 2 Oasis Standards noted as (OS)
• 15 Committee Specifications
• XSPA Profile submitted for Oasis Standard vote
• 1 Committee Draft noted as (CD)
• Errata Updated Technical Overview

3
Post 2.0 Profiles by Category Metadata

• Metadata Profile for SAML V1.x (OS)
• Using metadata with prior versions
• Metadata Extension for SAML V2.0 and V1.x Query
  Requesters (OS)
• Metadata associated with queries
• Metadata Extension for Entity Attributes
• Metadata about Subjects and Attributes
• Metadata Interoperability Profile

4
Post 2.0 Profiles by CategoryAttributes

• SAML V2.0 Attribute Extensions
• Defines additional attribute properties
• Will be added to as needed
• Attribute Sharing Profile for X.509
  Authentication-Based Systems
• Attribute queries for X.509 Attributes
• Subject DN is lookup key

5
Post 2.0 Profiles by CategoryHolder of Key

• Holder-of-Key Assertion Profile
• How to use X.509 with SAML Assertions
• Holder-of-Key Web Browser SSO Profile
• Uses TLS and an off the shelf browser
• Enables SAML capabilities by cryptographically
  secure means
• Additional attributes may be provided

6
Post 2.0 Profiles by CategoryDeployment

• Subject-based Profiles for SAML V1.1 Assertions
• Enables mixed SAML 2.0 1.x deployments
• Deployment Profiles for X.509 Subjects
• Enables interoperability in X.509 environments

7
Post 2.0 Profiles by CategoryNew Protocols

• Identity Provider Discovery Service Protocol
• Alternative to the IDP discovery protocol in SAML
  2.0
• Protocol Extension for Third-Party Requests
• Request to send Assertion to a 3rd Party

8
Post 2.0 Profiles by CategoryAuthentication
Context

• Protocol Extension for Requested Authentication
  Context
• More flexible queries for AuthN Context
• Shared Credentials Authentication Context
  Extension
• Adds ability to distinguish shared credentials
• Text-Based Challenge/Response Token
  Authentication Context
• Additional AuthN Context definitions

9
Post 2.0 Profiles by CategoryOther

• Cross-Enterprise Security and Privacy
  Authorization (XSPA) Profile
• Attribute definitions for Healthcare
• X.500/LDAP Attribute Profile
• Fixes bug in SAML 2.0
• HTTP POST SimpleSign Binding (CD)
• Defines an easier to implement signature

10
Errata and Non-normative

• Approved Errata
• Official under OASIS TC process
• SAML 2.0 Technical Overview
• Greatly improved
• Many diagrams, usecases, etc.

11
Projected Status - Spring 2010

• Likely OASIS Standards
• Metadata Profile for SAML 1.x
• Metadata Extension for SAML V2.0 and V1.x Query
  Requesters
• XSPA Profile (Healthcare)
• Approved Errata
• Other specifications generally awaiting
  implementations