以文本方式查看主题 - 中文XML论坛 - 专业的XML技术讨论区 (http://bbs.xml.org.cn/index.asp) -- 『 XML安全 』 (http://bbs.xml.org.cn/list.asp?boardid=27) ---- [转帖]SAML的新特性 (What's new with SAML?) (http://bbs.xml.org.cn/dispbbs.asp?boardid=27&rootid=&id=29655) |
-- 作者:admin -- 发布时间:3/31/2006 3:29:00 PM -- [转帖]SAML的新特性 (What's new with SAML?) What's new with SAML? Ed Tittel 03.29.2006 In previous XML tips we've looked at (and around) the Security Assertion Markup Language, aka SAML. But in the wake of increasing adoptions and use—as for example, its adoption as a cornerstone of the US Federal E-Authentication Initiative—another look seems warranted and is bound to prove interesting. As of March 2005, in fact, there are three versions of SAML available: SAML 1.0, adopted as an OASIS standard in November, 2002 (this is the version that the e-authentication initiative has adopted) SAML 1.1 Assertions As the name of this XML applications indicates, it's all about security assertions. In fact, SAML supports three types of security assertions, all of which developers who must manage distributed or cooperative applications can't help but appreciate: Authentication statements: These assert to a service provider that a security principal has authenticated with an identity provider at a specific identified time using a specific identified method of authentication. Other information about a principal may also be included in such a statement, such as the principal's e-mail address. Within the SAML environment, the above-mentioned types of assertions are ferried within the SAML protocol, which follows a simple request-response structure. In this environment a SAML requester issues a SAML request message to a responder and the SAML responder replies with a SAML response message to the requester. These message structures are simple and relatively compact, where the headers identify the version of SAML in use, along with simple request and response IDs, as well as timestamps, and the payload contains one or more SAML statements (authentication, attribute or authorization decision statements, in other words). SAML 1.1 defines a single binding to support message exchange. Known as the SAML SOAP binding, it requires that a compatible implementation must implement SAML over SOAP over HTTP (other transport mechanisms are allowed providing all protocol-independent aspects of the SAML SOAP binding are transparently preserved). The binding occurs on SOAP version 1.1, where a SAML requester wraps a SAML request message within the body of a SOAP message, with a similar structure for replies from a SAML responder. The SOAP 1.1 specification also requires that if HTTP is used for transport, a SOAPAction HTTP header must be included in each HTTP request (this value may be something as simple as "SOAPAction: http://www.oasis-open.org/committees/security". SAML also uses profiles to define the HTTP exchanges used to transfer security assertions from an identity provider to a service provider, where SAML 1.1 specifies two different types of browser-based single sign-on profiles: Browser/artifact Profile Either way, the contents of the request and response messages manage the dialog between identity and service providers and help developers offload the details of identity management and authentication from their own code. For most developers tasked with building safe, secure Web-based applications and services, this is a very good thing! In a future tip, we'll tackle what's new and interesting with SAML 2.0 and cover its increases in capability and functionality. About the author Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed at etittel@techtarget.com with comments, questions or suggested topics or tools for review. |
-- 作者:ryuryuryu -- 发布时间:4/2/2006 10:05:00 AM -- up,up thanks for sharing~~~~~~ |
-- 作者:yinnanzzy -- 发布时间:10/13/2006 6:57:00 PM -- 谢谢!!! |
-- 作者:visuale -- 发布时间:12/19/2006 11:32:00 AM -- 支持一下 |
W 3 C h i n a ( since 2003 ) 旗 下 站 点 苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》 |
46.875ms |