I've updated the SAML-lSSO and SAML OpenID Profile specs just to bring
them up-to-date with the latest revisions of various SAML and OpenID
specs and to fix minor editorial issues. The SAML-lSSO spec is
presently not a current IETF Internet-Draft -- it's prior version
expired a few months ago. We're thinking about whether we want to
pursue that specification officially or not. The issue with it being
that in implementing it, one can optionally turn security completely
off -- which is a 'feature' various folks advocating for so-called
'open Internet' identity management desire. But SDOs such as IETF,
OASIS, W3C, Liberty Alliance, etc all would look askance at blessing
such a spec. In fact the IETF definitely would not allow it to go
forward in that they have an explicit policy against promulgating
insecure protocols. "SAMLv2 Lightweight Web Browser SSO Profile"
specifies a SAMLv2 lightweight Web Browser Single Sign-On Profile.
This profile is modeled on the OASIS SAMLv2 Web Browser SSO profile,
adding various constraints, and using a new lighterweight SAMLv2
HTTP POST binding offering an optional signature technique that is
more simple-to-implement than the also optional XML Digital Signature
approach. More Information See also SAML references: Click Here
No comments:
Post a Comment