SAML Issues
  • The authentication step
    • Credentials collection, transmission, verification
    •   as input to Authentication Authority
    • Ruled "out of scope" for now

  • Sessions
    • "single sign-on" implies session of some kind
    • relation to target application sessions
    • "rich" sessions: single sign-off, timeout/in, query (postponed)
    • transferring session state (out of scope)

  • Other
    • Controlling scope
    • how much to depend on (or avoid) PKI
    • "indexical references", aka bearer documents
    • supporting the messaging/B2B cases, vs Web SSO

Internet2 Shibboleth, OASIS Security Services
50th IETF, March 2001
RL "Bob" Morgan, rlmorgan@ washington.edu