Introduction
The InCommon Deployment Profile working group was chartered by the InCommon Technical Advisory Group (TAG) in the fall of 2016. The group was charged with creating a deployment profile that could be layered on top of the SAML 2.0 Deployment Profile, SAML2int, which was planned to receive a much-needed update. The working group would make its needs for the research and education (R&E) community known so that some could be incorporated into SAML2int; the remaining requirements would go into an R&E-specific deployment profile.
This work was a follow-on initiative recommended by the Federation Interoperability working group which created a profile for SAML software developers. The Federation Interoperability recommended a second profile for deployers of SAML-based services and identity providers.
The Deployment Profile's charter stated the following:
Operating a broadly compatible SAML-based service or identity provider can be challenging. The standards and profiles that are currently available leave a lot of room for interpretation and customization. While this allows for flexibility, it also results in issues that make interoperating in a federation a lot harder than it should be. While deployment standards exist today, they fall short of solving the whole problem.
Process
The working group began by evaluating the issues list from the Federation Interoperability working group; many of the requirements for developers also apply to deployers. In addition, many of the issues from the previous working group's list were considered out of scope for their work but relevant for deployers. The group categorized and clarified the issues and added others from personal experience and community input. The result was a list of recommendations for SAML2int, R&E specific issues, federation operator issues, and those not belonging in a profile at all.
The group then tackled a number of tough issues for which requirements were needed but unclear: federated logout, identifiers, XML encryption, and logos. After several lengthy discussions, the group reached and documented consensus on these areas and formed them into requirements.
At this point, the group produced a second profile specifically dealing with identifiers. The OASIS SAML V2.0 Subject Identifier Attributes Profile reflects the work done in this area. It attempts to clear up confusion and issues with the numerous federated identifiers available to deployers today.
As the work progressed, the working group realized that, if SAML2int was going to be updated in a timely fashion, they would need to be the ones to do it. The group was depending on SAML2int updates to be completed before an R&E specific profile could be created. Thus, the group produced an updated version of SAML2int for community review and adoption.
The R&E community provided feedback during a consultation period in May of 2018. The following September, the group held two community review calls to discuss responses to the feedback. A small number of additional revisions were made as a result of the community review calls. The completed work is being presented to Kantara to supersede the current SAML2int after formal ratification.
Deliverables
- SAML 2.0 Deployment Profile (revised)
- List of R&E-specific requirements for a follow-on working group
- List of federation operator specific requirements for a follow-on working group
Significant accomplishments
- Identifiers: To address the large number of identifiers available today, most of which have significant issues or have been widely deployed incorrectly, the group created two new identifier attributes and documented them in a separate profile which is being approved by OASIS SSTC.
- Federated logout:
- Encryption
- Logos in metadata:
- Error handling:
Recommendations to federations for implementing
- Changing encryption algorithms:
- Adopting new identifiers
Noteworthy differences between Implementation and Deployment Profiles
- Clock skew: