[jdev] SAML

Jonathan Dickinson jonathan.dickinson at k2.com
Mon Jul 6 06:02:43 CDT 2009


Has anyone thought about how SAML [Security Assertion Markup Language] would work in terms of SASL <http://en.wikipedia.org/wiki/Saml> and XMPP? This is especially interesting regarding the whole OpenID/SSO discussion a while back; SAML isn't bound to HTTP or any other client for that matter (don't get the wrong idea from the abundance of HTTP documentation - it will work in any transport).

I have been reading a bit about SAML and it looks like they do B64 the SAML XML, with no explanation. It seems a bit strange to B64 an XML fragment in a SOAP document (or an XMPP stream for that matter) - maybe it has to do with the WS-Security schema.

As far as XMPP 1.0 goes we probably would have to B64 the fragment; but here are my initial thoughts on XMPP 2.0:

Possibly:
<mechanism type="http://www.w3.org/XML/1998/namespace">SAML</mechanism>

Which gives raise to:
<mechanism type="urn:xmpp:tmp:text-plain">PATHETIC</mechanism><!-- something like [name];[password] -->

And implicitly:
<mechanism type="urn:xmpp:tmp:base64">DIGEST-MD5</mechanism>

Indeed, we could go as far as to turn it into a feature on its own. It does support SASL-like mechanism selection itself; it should be possible to jippo SASL right in there:

<stream:features>
     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
       <mechanism>DIGEST-MD5</mechanism>
       <mechanism>PLAIN</mechanism>
       <mechanism>EXTERNAL</mechanism>
     </mechanisms>
     <saml xmlns='http://the/saml/namespace'/>
</stream:features>

-- Jonathan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20090706/d1587d28/attachment-0002.htm>


More information about the JDev mailing list