SAML v2.0 SimpleSign

It looks like a new binding for SAML v2.0 is soon to be ratified, the HTTP POST "SimpleSign" Binding . The "SimpleSign" binding was originally crafted by Jeff Hodges and Scott Cantor relaxes the XML Signature requirements on the SAML Protocol, making it easier for scripting environments to send signed SAML requests and verify signed SAML responses. The main problem with XML Signature is performance - very few people know that the cryptography involved in XML Signature is often dwarfed many times over by the extensive XML processing requirements including parsing, transformation and XML canonicalization (e.g. c14n).

The situation only gets worse as the size of the XML document increases or the number of references to be signed increases. This profile takes a less sophisticated approach and interprets the XML content of the SAML request or response as an octet stream and then represents the signature as a base-64 encoded blob. While I think that this type of profile will do wonders to help scripting environments support signed SAML requests, this specification does not replace the signature on the actual SAML assertion - it just applies to the and messages.

This means that for persistent message level security on SAML assertions, XML Signature is still required. Other solutions to this problem are to decouple the XML signature processing from the scripting environment and moves it to the network with a SOA software appliance. This approach uses the original XML Signature as specified in the original spec (you will likely have to use it anyway if you want signed SAML assertions) and avoids having to implement and test a new profile.

Posted by Blake Dournaee on 2:49 PM


digital signatures said...

Thanks for sharing the information about SAML v2.0. Can i know when it will be available in market.i want to use it as soon as it will be available.


About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy