WebApp Sec: Re: SAML implementation

[Yuri Demchenko <demch () chello nl>]

Rishi Pande wrote:

> I am not sure if this is the right place for this, but I am looking into 
> implementing a SAML authority for one of the authentication products I 
> work on. I haven't been able to find a good whitepaper on how to go 
> about it, other than at Ping's SourceID but that does not explicitly 
> mention any implementation discussions. Any leads are appreciated.
You may want to look at OpenSAML and Shibboleth implementation that 
use SAML for mostly AuthN and Attribute handling.
Shibboleth is a very successful development by Internet2 Middleware 
initiative. So, you can find a lot of info there:
http://shibboleth.internet2.edu/
http://middleware.internet2.edu/

WS and Grid also define std AuthZ framework using SAML:

GFD.38 Conceptual Grid Authorization Framework and Classification. 
http://www.ggf.org/documents/GWD-I-E/GFD-I.038.pdf
GT 3.9.4 Authorization Framework. - 
http://www-unix.globus.org/toolkit/docs/development/3.9.4/security/authzframe/

Note. SAML itself can be only a component of a complex AuthZ or AuthN 
and identity mngnt infrastructure. You will need to have AuthN/Z 
services, Attribute and Policy authorities, user directories, key 
management, etc.
But still SAML is a solution to provide a standard format for security 
assertions that will allow you to implement message/document basic 
security model.
For SAML 1.1 and SAML 2.0 internal structure and its relation to other 
stds for AuthN and AuthZ and one more usecase you can also look this:
Using SAML and XACML for Authorisation assertions and messaging: SAML
and XACML standards overview and usage examples.
http://www.uazone.org/demch/analytic/draft-authz-xacml-saml-01.pdf