incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Cantor <>
Subject Proposal for OpenSAML (or a name TBD)
Date Tue, 28 Jan 2003 20:34:04 GMT
Here's the proposal solicited (and started) by the folks, edited by me. The name
should indeed change if the scope of
the subproject is to be wider than SAML (see outstanding issues at the bottom).

For the shib/internet2 folks, is the list to subscribe to to
participate in the discussion.

Scott Cantor
The Ohio State Univ


Proposal for OpenSAML, A Web Services Subproject (via Incubator)

28 January 2003
Davanum Srinivas (, Scott Cantor (

(0) rationale

To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2
as part of the Shibboleth project
( The project is currently hosted and managed by Internet2
at Both a Java
and C++ library are being provided and maintained, with a goal of feature parity and API commonality
between them.

One important web services component that might leverage OpenSAML is WS-Security (
is also a JSR 155 - Web Services Security Assertions (
in progress that will (in their
words) define a set of APIs, exchange patterns and implementation to securely (integrity and
confidentiality) exchange assertions
between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either
instead of or in addition to the
existing API.

The PMC expressed a great deal of interest in the work in order to ramp up their
activities quickly, and appears to be
eager to contribute to the success of the subproject.

(0.1) criteria

Meritocracy: Design decisions have been made in consultation with the Shibboleth development
team. WS-Sec or other links would be
new code subject to open discussion as to approach and implication.

Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed,
have been playing with the code in their
projects. WS-Sec functionality might expand this interest.

Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development
team, and a few other
contributions, some from Apache contributors.

Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects
before turning elsewhere, due to
compatibility of licensing terms and code quality and support.

Scope: SAML and functionality to simplify the use of SAML in areas of interest. 

(0.2) warning signs

Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have
looked at OpenSAML as a possible
starting point.

Inexperience: The primary author has been coding the system for about 14 months, and has 5+
years experience on web security
software, primarily in C and C++. Most of that code has been made publically available and
has been shared explicitly with other
institutions. Other Shibboleth developers have contributed Unix systems programming, project
organization, and Java experience to
the project, and they have open source experience as well.

Homogeneous Developers: Primarily one developer to this point, though suggestions from other
developers have influenced design.
Project expected to support layered functionality contributed by other interested parties
once core API stablity is reached. IRC has
been used extensively to discuss issues.

Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and
most of the development has been
contract work, but the entire source base has been open source from the beginning.

No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make
use of and serve the forthcoming WS

Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a
stable of developers, extend work into
web services, possibly explore implications of SAML and Shibboleth models for SSO and identity
federation within other Apache

(1) scope of the subproject

The purpose of this subproject is to create and maintain an implementation of the SAML standard,
as defined by the OASIS SSTC, via
libraries that support the messages, bindings, and profiles in the standard. This might eventually
include reference implementations
of SAML authorities for testing or development use (or more if there's interest). This subproject
might include an implementation of
the JSR-155 yet-to-be-published API for SAML in Java.

Work in the web services space, such as the WS-Security work that is emerging from OASIS,
could take place either within the scope
of a more broadly named project that includes and subsumes OpenSAML, or could be a dependent
subproject at This would
include JAX-RPC and Apache Axis specific WS-Security handlers and code to enable quick adoption
of SAML and WS-Security within the
Apache project community.

(2) identify the initial source from which the subproject is to be populated

(3) identify the ASF resources to be created 

(3.1) mailing list(s) 


(3.2) CVS repositories 

ws-opensaml (currently there is a cvs at

(3.3) Bugzilla 

(currently, there is a bugzilla at

(4) identify the initial set of committers 

Scott Cantor (

Walter Hoehn (

Derek Atkins (

Christian Geuer-Pollmann (

Mark Wilcox (

(5) identify apache sponsoring individual 

Davanum Srinivas (

(6) open issues for discussion

Is OpenSAML a stand-alone subproject, or should it expand to include WS-Security work?

Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free), or
especially with WS-Security and its
family of specifications, most of which are not yet standards?

View raw message