You can now download free toolkits and reference implementations for service providers which will integrate with Identity Providers supporting the open SAML 2.0 standard. The toolkits and associated reference implementations implements the Danish eGov OIOSAML 2.0 profile and can be downloaded from the open source repository. The purpose of these toolkits is twofold.
Welcome to SAML XML.org.
This is the official community gathering place and information resource for the SAML OASIS Standard. SAML provides an XML-based framework for creating and exchanging security information between online partners. This is a community-driven site, and the public is encouraged to contribute content.
I'm new to SAML and I have two - hopefully not too silly - questions:
I understood from the profiles in the standard that when requesting an assertion the relying party (server) never contacts the SAML authority (identity provider) directly but only via the user (client), e.g. by redirect.
My question: Is it also possible that the server contacts the SAML authority directly to request an assertion?
- If not, why not?
- If yes, where can I find this variation in the standard?
Mail archives are available for the following SSTC mailing lists that are no longer in use.
- security- consider
I am intending to use the SAML v2 specification by OASIS to generate SAML Assertions and include the same within the SOAP Header of all messages along with a WS Digital Signature. The intention is to address the 3 of the 4 A's of security to our services landscape.
My concern is that -as for now- OSASIS WS-Security v1.1 provides a SAML Token Profile (http://www.oasis-open.org/specs/#wssprofilesv1.0) but it seems this profile is for SAML v1.1! Therefore, my solution might have a gap!
Is possible / supported to use WS-Security v1.1 along with SAML v2.0??