Friday, February 02, 2007

SAML =/= SOAP

While acknowledging the 'sensitivity/value' advantages it has over 'lighter' alternatives, Eric Norlin incorrectly describes SAML as SOAP-based.
its still important to realize that SOAP-based systems of identity (SAML and WS-Federation) are still much more adept at maneuvering through high-risk transactions that take place online
SAML does define a SOAP Binding as one mechanism for moving messages and assertions around. It also defines a number of other bindings that have nothing to do with SOAP.

I understand the mistake. SOAP is 'complex', SAML is 'complex', it just makes sense that they must be inextricably intertwined.

3 comments:

Gunnar said...

Yes, I have never had an issue using SAML with my HTTP connection management system and HTML rendering software. Oops, I mean Firefox.

Tom said...

You're right, Paul, SOAP is not required, but it's easy to see why Eric (and others) make that association. Most implementations of SAML V1.1 employ either Browser/Artifact or attribute query, both of which require SOAP. On the other hand, emerging implementations of SAML V2.0 seem to be focusing on Browser/POST, which does not require SOAP. It may be too late to undo the damage, however.

James McGovern said...

Could you in a future blog entry comment on WS-XACML and how it can help make user-centric identity better?