Convenor: Peter Gietz
Solutions:
- Moonshot
- SAML ECP
- OAuth2
- WS-Trust STS (Secure token)
- OpenIDConnect (not saml based though, but for solving the same problem space)
- Use SAML with self-service web application on PC, e.g. QR-tag to bootstrap OAuth2 on your phone (Victoriano described pilot project @ University of Malaga)
- SurfNet APIs (on OAuth2 page) integrated SAML into OAuth2
Discussion
Note:
- SAML is for authN and attributes; embedded XACML is not used
- AuthZ is somewhere else (Oauth may be used for that)
Fundametal problem of Webservice is AuthZ
2 Problems:
- who is the user
- what can (s)/he do?
Oauth2 + SAML:
Use saml to do authN for Oauth ("3 legged" scenario)
Example opensource implementations: APIs (github.com/openconextapps)
Several other opensource and comertial examples exist
Businesscase
Banks want to build on SAML as it is already there, and because of the opportunity for inter federation. Need to use SAML to be able to federate with other banks. Using View in Bank: Use of ECP is uncertain if an implementation of different authN methods would comply with the standard.
Reply: ECP needs to be profiled, because the authN method cannot not be defined in general. Ubisecure did implement ECP with a Proxy, that translates HTTP-basic authn to ECP
Three solution spaces
- Move SAML stuff to the web service
example: SAML ECP and STS, to an extend Moonshot
- Proxy the SAML authN to something else
e.g. SAML + Oauth2, PKI
- Bootstrap scenario
Additional issue:
Do or do not use webbrowser @mobile client?
SAML ECP:
Additional Profiling needed. Done in Finland
- Scenario 1 IDP (with ECP support), Backchannel is propriatary (based on part of the radius spec)
PAM ECP exists
Bootstrap scenario
Bootstrap a token with saml or something like it, and use that token on the mobile device (oauth2 or something else)
Either certificate based (e.g with InCert) or bootstrap
Rest based vs SOAP based services:
SOAP is strong in enterprise, and includes business logic which rest cannot do. Buiding mobile to WS-*
SAML STS - but unclear how to hook that into SAML in a staderdized way
Solution scenario:
1) Oauth2 + a bootstrap based on SAML Or stepup scenario
OASIS stuff:
- XACML3 rest profile (JSON representation)
- CloudAuthZ: AuthZ for cloud, esp Roles
Other activities:
- Json for SAML (mostly to get rid of SOAP)
