[Talk:OpenSAMLProposal Talk Page]
Proposal for OpenSAML, A Web Services Subproject (via Incubator)
28 January 2003, Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
(0) rationale
To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as part of the Shibboleth project (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at http://www.opensaml.org. Both a Java and C++ library are being provided and maintained, with a goal of feature parity and API commonality between them.
There is also a JSR 155 - Web Services Security Assertions (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their words) define a set of APIs, exchange patterns and implementation to securely (integrity and confidentiality) exchange assertions between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either instead of or in addition to the existing API. This is analagous to the migration in Xerces to JAXP when it became appropriate.
The ws.apache.org PMC expressed a great deal of interest in the work in order to ramp up their activities quickly, and appears to be eager to contribute to the success of the subproject.
(0.1) criteria
Meritocracy: Design decisions have been made in consultation with the Shibboleth development team.
Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed, have been playing with the code in their projects.
Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development team, and a few other contributions, some from Apache contributors.
Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects before turning elsewhere, due to compatibility of licensing terms and code quality and support.
Scope: SAML and functionality to simplify the use of SAML in areas of interest.
(0.2) warning signs
Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have looked at OpenSAML as a possible starting point.
Inexperience: The primary author has been coding the system for about 14 months, and has 5+ years experience on web security software, primarily in C and C++. Most of that code has been made publically available and has been shared explicitly with other institutions. Other Shibboleth developers have contributed Unix systems programming, project organization, and Java experience to the project, and they have open source experience as well.
Homogeneous Developers: Primarily one developer to this point, though suggestions from other developers have influenced design. Project expected to support layered functionality contributed by other interested parties once core API stablity is reached. IRC has been used extensively to discuss issues.
Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and most of the development has been contract work, but the entire source base has been open source from the beginning.
No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make use of and serve the forthcoming WS projects.
Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a stable of developers, extend work into web services, possibly explore implications of SAML and Shibboleth models for SSO and identity federation within other Apache projects.
(1) scope of the subproject
The purpose of this subproject is to create and maintain an implementation of the SAML standard, as defined by the OASIS SSTC, via libraries that support the messages, bindings, and profiles in the standard. This might eventually include reference implementations of SAML authorities for testing or development use (or more if there's interest). This subproject might include an implementation of the JSR-155 yet-to-be-published API for SAML in Java.
(2) identify the initial source from which the subproject is to be populated
(3) identify the ASF resources to be created
(3.1) mailing list(s) opensaml-user opensaml-dev
(3.2) CVS repositories ws-opensaml (currently there is a cvs at cvs.internet2.edu)
(3.3) Bugzilla
(currently, there is a bugzilla at bugzilla.internet2.edu)
(4) identify the initial set of committers
Scott Cantor (cantor.2@osu.edu)
Walter Hoehn (wassa@columbia.edu)
Derek Atkins (warlord@mit.edu)
Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
Mark Wilcox (mark.wilcox@webct.com)
(5) identify apache sponsoring individual
Davanum Srinivas (dims@yahoo.com)
(6) open issues for discussion
Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free)?