How to Study and Learn SAML Working Draft, 23 October 2006
Transcription
How to Study and Learn SAML Working Draft, 23 October 2006
1 2 How to Study and Learn SAML 3 Working Draft, 23 October 2006 4 5 Document identifier: draft-hodges-HowToLearnSAML-01 6 7 Location: http://www.oasis-open.org/committees/security/ 8 9 10 Editors: 11 12 Contributors: 13 14 15 16 17 Abstract: This brief whitepaper provides a functional introduction to the SAMLv2 specifications. It is tailored to protocol designer and developer's perspectives. First a conceptual introduction is presented, next suggestions on how to study and learn SAML are given, and then more detailed aspects are discussed. 18 19 Status: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Jeff Hodges, NeuStar, Inc. This is an individual submission. Committee members should submit comments to the [email protected] list. Others should submit them by following the instructions at http://www.oasisopen.org/committees/comments/form.php?wg_abbrev=security. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights web page for the SSTC (http://www.oasisopen.org/committees/security/ipr.php). [@@Additional template instructions: Give the specification a document ID/filename of the form sstc-saml-descrip[-Vn.m]-{wd|cd}-nn. Sort editor and contributor lists first by affiliation (must be an OASIS institutional member or say “individual”), then by surname. Every time a revision is published, update the revision number and date that appear both on the title page and in the footer, and update the Table of Contents. When a Working Draft becomes a Committee Draft, delete the Revision History appendix and change the first paragraph of the Status section to “This is a Committee Draft approved by the Security Services Technical Committee (SSTC) on nn month 2006.” The document ID/filename will change as well. Currently, change-tracking is on; reflect any per-revision changes by recording them in this manner.] Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 1 of 14 36 Table of Contents 37 1 Introduction............................................................................................................................................... 3 38 1.1 Notation............................................................................................................................................. 3 2 Next Section.............................................................................................................................................. 5 39 40 41 42 43 44 45 3 New Profile................................................................................................................................................ 6 3.1 Required Information......................................................................................................................... 6 4 References............................................................................................................................................... 7 5 Revision History...................................................................................................................................... 11 Appendix A. Acknowledgements................................................................................................................ 12 Appendix B. Notices................................................................................................................................... 13 46 Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 2 of 14 47 1 Introduction 48 49 50 This brief whitepaper provides a functional introduction to the SAMLv2 specifications. It is tailored to protocol designer and developer's perspectives. First a conceptual introduction is presented, next suggestions on how to study and learn SAML are given, and then more detailed aspects are discussed. 51 1.1 Notation 52 Typographical conventions used in this document are: 53 Listings of XML schemas appear like this. 54 55 Example code listings appear like this. 56 57 This specification uses the following typographical conventions in text: <SAMLElement>, <ns:ForeignElement>, Attribute, Datatype, OtherKeyword. Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 3 of 14 58 2 Conceptual Introduction to SAML 59 60 61 62 SAML [[SAMLExecOvw]] defines an XML-based framework for crafting "security assertions", and exchanging them between entities. In the course of creating, or relying upon such assertions, SAML system entities may use SAML protocols, or other protocols, to convey an assertion itself, or to communicate about the "subject" of an assertion. 63 64 65 Thus one can employ SAML to make statements such as: "Alice has these profile attributes and her domain's certificate is available over there, and I'm making this statement, and here's who I am." 66 67 68 Then one can cause such an assertion to be conveyed to some party who can then rely on it in some fashion for some purpose, for example input it into a local policy evaluation gating access to some resource. 69 70 71 Such applications of SAML are done in a particular "context of use". A particular context of use could be, for example, deciding whether to accept and act upon a SIP-based invitation to initiate a communication session. 72 73 74 75 76 The specification of just how SAML is employed in any given context of use is known as a "SAML profile". The specification of how SAML assertions and/or protocol messages are conveyed in, or over, another protocol is known as a "SAML Binding". Typically, a SAML profile specifies the SAML bindings that may be used in its context. Both SAML profiles and SAML bindings in turn reference other SAML specifications, especially the SAML Assertions and Protocols, aka "SAML Core", specification [[SAMLCore]]. 77 78 79 80 81 82 83 This relationship between SAML specifications, as well as SAML-dependent specifications, is illustrated below in Illustration 1: Conceptual Dependencies between SAML Profiles, Bindings, and Core Specifications,as well as Target Protocols. The relationships between the various boxes in the diagrams is one of <spanx style="emph">dependencies</spanx>. Note how the boxes representing SAML Profiles— this means <spanx style="emph">any</spanx> SAML profile—depends upon both the SAML Core specification as well as SAML Bindings, and and of course also upon the specifications of the target profile(s). 84 85 86 87 Note that the SAML Assertions & Protocols specification, the SAML Core, is conceptually "abstract". It defines the bits and pieces that make up SAML Assertions, and their nominal semantics, but does not define how to actually put them to use in any particular context. That, as we've said, is left to SAML Profiles, of which there can be many. 88 89 90 91 The original SAML profiles, which concentrate on the problem domain of "Web Single Sign-On", are specified in [[SAMLProf]] (note that this specification is called out in the "SAML Profiles" box in Illustration 1: Conceptual Dependencies between SAML Profiles, Bindings, and Core Specifications,as well as Target Protocols). An example of a different, non-Web-SSO SAML profile is given in [SIP-SAML]. Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 4 of 14 SAML Profiles <CONCRETE> saml-profiles-2.0-os [see also: draft-ietf-sip-saml-00 ] SAML Bindings <CONCRETE> SAML Assertions & Protocols <ABSTRACT> aka “SAML Core” saml-core-2.0-os saml-bindings-2.0-os Target protocol(s) <CONCRETE> [..in a particular overall "context of use", eg. using SIP to establish multi-media sessions on a user's behalf Web SSO, or DAV, etc. Such a profile may depend upon more than one protocol in conjunction -- eg HTTP & SIP -- to accomplish the profile's mission (see sip-saml draft)] Underlying Protocol(s) or Technologies <CONCRETE> E.g. TLS, and/or TCP, IP, IPSec, as appropriate. Illustration 1: Conceptual Dependencies between SAML Profiles, Bindings, and Core Specifications,as well as Target Protocols 92 3 How to Study and Learn SAML 93 94 95 Given the gist of the above discussion—that the descriptions of SAML applied in concrete contexts is given in SAML profiles—here is a suggested approach for reading the SAML specification set if one has as their goal "learning SAML": 96 97 98 99 100 101 102 103 • Begin by studying various SAML Profiles, e.g. those given in [[SAMLProf]] and [SIP-SAML]. One will likely find the SAML Technical Overview whitepaper [[SAMLTechOvw]] helpful in this endeavor. It provides a detailed, illustrated expose of several of the SAML Web SSO profiles. • Only refer to the SAML Core specification [[SAMLCore]] as necessary for definitions and semantics of particular items refered to in the profiles and bindings you are studying. • Also, refer to the other SAML specifications and documents as necessary: • The SAML glossary [[SAMLGloss]] defines many of the key terms used throughout the SAML specification set. Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 5 of 14 111 112 • SAML profiles often reference the SAML Metadata specification [[SAMLMeta]]. This spec defines how one "discovers" various configuration aspects of a SAML deployment. Often one needs to determine this information in order to establish communication. • The characteristics of specific SAML entity implementations—based upon the profiles in [[SAMLProf]], such as a "SAML Authority", or a "SAML-based service provider”—are given in the SAML Conformance specification [SAMLConf]. • Various security aspects of the SAML profiles and bindings given in the SAMLv2 specification set are discussed and analyzed in the SAML Security Considerations specification [[SAMLSec]]. 113 114 Studying SAML in this fashion is a more concrete, context-rich, practical-application approach than, say, starting cold with reading the rather abstract SAML Core specification. 104 105 106 107 108 109 110 Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 6 of 14 115 4 SAML in More Detail 116 117 118 This section first discusses the notion of "SAML assertion profiles", and then follows with a more detailed description of SAML assertions as well as the abstract SAML request/response protocol, both of which are defined in the SAML Core specification [[SAMLCore]]. 119 4.1 SAML Assertion Profiles 120 121 122 123 There is an additional subtle aspect of SAML profiles that is worth highlighting: the notion of "SAML assertion profiles". A SAML assertion profile is the specification of the specific SAML assertion contents in the context of a particular SAML profile. It is possibly further qualified by a particular implementation and/or deployment context. Two condensed examples of SAML assertion profiles are: 124 125 126 127 128 129 • The SAML assertion must contain at least one authentication statement and no other statements. The relying party must be represented in the <AudienceRestriction> element. The SubjectConfirmation Method must be Foo. etc. • The SAML assertion must contain at least one attribute statement and may contain more than one. The values for the subject's profile attributes named "Foo" and "Bar" must be present. An authentication statement may be present. etc. 130 131 For a more in-depth example of an explicit SAML assertion profile, see section 6.1.4 "Assertion Profile Description" of [SIP-SAML]. 132 133 134 Note that all SAML profiles will more or less explicitly encompass one or more assertion profiles. For example, all the SAML profiles specified in [[SAMLProf]] do so, however their "assertion profiles" are not explicitly labeled as such. 135 4.2 SAML Assertions 136 137 138 A SAML assertion is a package of information including issuer and subject, conditions and advice, and/or attribute statements, and/or authentication statements and/or other statements. Statements may or may not be present. The SAML assertion "container" itself contains the following information: 139 140 141 142 143 144 145 146 147 148 149 150 151 152 Issuing information: Who issued the assertion, when was it issued and the assertion identifier. Subject information: The name of the subject, the security domain and optional subject information, like public key. Conditions under which the assertion is valid: Special kind of conditions like assertion validity period, audience restriction and target restriction. Additional advice: Explaining how the assertion was made, for example. In terms of SAML assertions containing SAML attribute statements or SAML authentication statements, here are explanatory examples: • With a SAML assertion containing a SAML attribute statement, an issuing authority is asserting that the subject is associated with certain attributes with certain subject profile attribute values. For example, user [email protected] is associated with the attribute "Department", which has the value "Computer Science". Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 7 of 14 153 154 155 156 • With a SAML assertion containing a SAML authentication statement, an issuing authority is asserting that the subject was authenticated by certain means at a certain time. • With a SAML assertion containing both a SAML attribute statement and a SAML authentication statement, an issuing authority is asserting the union of the above. 157 Examples of actual SAML assertions are given below in Section 5. 158 4.3 Abstract Request/Response Protocol 159 160 161 162 163 164 165 SAML defines an abstract request/response protocol for obtaining assertions. See Section 3 "SAML Protocols" of [[SAMLCore]]. A request asks for an assertion. A response returns the requested assertion or an error. This abstract protocol may then be cast into particular contexts of use by binding it to specific underlying protocols, e.g., HTTP or SIP, and "profiling" it for the specific use case at hand. The SAML HTTP-based web single sign-on profile is one such example (see Section 4.1 Web Browser SSO Profile of [[SAMLProf]]). Trait-based SIP communication session establishment, the topic of this specification, is another. Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 8 of 14 166 5 Example SAML Assertions 167 168 This section presents two examples of a SAML assertion, one unsigned, the other signed and thus is integrity protected, and attests to the originating author. 169 170 171 172 173 In the first example, below, the assertion is attesting with respect to the subject (lines 7-15) "[email protected]" (line 11). The validity conditions are expressed in lines 16-23, via both a validity period expressed as temporal endpoints, and an "audience restriction" stating that this assertion's semantics are valid for only the relying party named "example2.com". Also, the assertion's issuer is noted in lines 4-5. 174 175 In lines 24-36, Alice's telephone number is conveyed, in a "typed" fashion, using LDAP/X.500 schema as the typing means. 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 1 <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" 2 IssueInstant="2003-04-17T00:46:02Z" Version="2.0" 3 xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 4 <Issuer> 5 example.com 6 </Issuer> 7 <Subject> 8 <NameID 9 Format= 10 "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 11 [email protected] 12 </NameID> 13 <SubjectConfirmation 14 Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> 15 </Subject> 16 <Conditions NotBefore="2003-04-17T00:46:02Z" 17 NotOnOrAfter="2003-04-17T00:51:02Z"> 18 <AudienceRestriction> 19 <Audience> 20 example2.com 21 </Audience> 22 </AudienceRestriction> 23 </Conditions> 24 <AttributeStatement> 25 <saml:Attribute 26 xmlns:x500= 27 "urn:oasis:names:tc:SAML:2.0:profiles:attribut 28 NameFormat= 29 "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" 30 Name="urn:oid:2.5.4.20" 31 FriendlyName="telephoneNumber"> 32 <saml:AttributeValue xsi:type="xs:string"> 33 +1-888-555-1212 34 </saml:AttributeValue> 35 </saml:Attribute> 36 </AttributeStatement> 37 </Assertion> Example 1: Unsigned SAML Assertion Illustrating Conveyance of Subject Attribute 213 214 215 216 217 218 219 220 221 222 223 224 In the second example, below, the information described above is the same, the addition is that this version of the assertion is signed. All the signature information is conveyed in the <ds:signature> element, lines 7-47. Thus this assertion's origin and its integrity are assured. Since this assertion is the same as the one in the first example above, other than having a signature added, the second example below addresses the same Security Considerations aspects, plus those requiring a Signature. 1 <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" 2 IssueInstant="2003-04-17T00:46:02Z" Version="2.0" 3 xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 4 <Issuer> 5 example.com 6 </Issuer> 7 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 9 of 14 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 8 <ds:SignedInfo> 9 <ds:CanonicalizationMethod 10 Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 11 <ds:SignatureMethod 12 Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 13 <ds:Reference 14 URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc"> 15 <ds:Transforms> 16 <ds:Transform 17 Algorithm= 18 "http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 19 <ds:Transform 20 Algorithm= 21 "http://www.w3.org/2001/10/xml-exc-c14n#"> 22 <InclusiveNamespaces 23 PrefixList="#default saml ds xs xsi" 24 xmlns= 25 "http://www.w3.org/2001/10/xml-exc-c14n#"/> 26 </ds:Transform> 27 </ds:Transforms> 28 <ds:DigestMethod 29 Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 30 <ds:DigestValue> 31 Kclet6XcaOgOWXM4gty6/UNdviI= 32 </ds:DigestValue> 33 </ds:Reference> 34 </ds:SignedInfo> 35 <ds:SignatureValue> 36 hq4zk+ZknjggCQgZm7ea8fI7...Hr7wHxvCCRwubfZ6RqVL+wNmeWI4= 37 </ds:SignatureValue> 38 <ds:KeyInfo> 39 <ds:X509Data> 40 <ds:X509Certificate> 41 MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxNVBAYTAlVT 42 MRIwEAYDVQQIEwlXaXNjb ..... dnP6Hr7wHxvCCRwubnZAv2FU78pLX 43 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdioG8cCx3w/w== 44 </ds:X509Certificate> 45 </ds:X509Data> 46 </ds:KeyInfo> 47 </ds:Signature> 48 <Subject> 49 <NameID 50 Format= 51 "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 52 [email protected] 53 </NameID> 54 <SubjectConfirmation 55 Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> 56 </Subject> 57 <Conditions NotBefore="2003-04-17T00:46:02Z" 58 NotOnOrAfter="2003-04-17T00:51:02Z"> 59 <AudienceRestriction> 60 <Audience> 61 example2.com 62 </Audience> 63 </AudienceRestriction> 64 </Conditions> 65 <AttributeStatement> 66 <saml:Attribute 67 xmlns:x500= 68 "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" 69 NameFormat= 70 "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" 71 Name="urn:oid:2.5.4.20" 72 FriendlyName="telephoneNumber"> 73 <saml:AttributeValue xsi:type="xs:string"> 74 +1-888-555-1212 75 </saml:AttributeValue> 76 </saml:Attribute> 77 </AttributeStatement> 78 </Assertion> Example 2: Signed SAML Assertion Illustrating Conveyance of Subject Attribute Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 10 of 14 296 6 References 297 6.1 Informative References 298 299 300 [SAMLBind] S. Cantor et al. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasisopen.org/security/saml/v2.0/saml-bindings-2.0-os.pdf. 301 302 303 [SAMLConf] P. Mishra et al. Conformance Requirements for the OASIS Security Assertion Mark Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf. 304 305 306 [SAMLCore] S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf. 307 308 [SAMLExecOvw] P. Madsen et al. SAML v2.0 Executive Overview. OASIS SSTC Committee Draft 01, April 2005. See 309 310 311 [SAMLGloss] J. Hodges et al. Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasisopen.org/security/saml/v2.0/saml-glossary-2.0-os.pdf. 312 313 314 [SAMLMeta] S. Cantor et al. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasisopen.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. 315 316 [SAMLMeta-xsd] S. Cantor et al. SAML metadata schema. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd. 317 318 319 [SAMLProf] S. Cantor et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasisopen.org/security/saml/v2.0/saml-profiles-2.0-os.pdf. 320 321 [SAMLProt-xsd] S. Cantor et al. SAML protocols schema. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd. 322 323 324 [SAMLSec] F. Hirsch et al. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005. See http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf. 325 326 327 [SAMLTechOvw] J. Hughes et al. Technical Overview for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC Working Draft. See http://www.oasisopen.org/committees/documents.php?wg_abbrev=security. 328 329 [SIP-SAML] H. Tschofenig et al. SIP SAML Profile and Binding. draft-ietf-sip-saml-00 (work in progress), June 2006. See . Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 11 of 14 330 7 Revision History 331 332 333 334 [@@Along with the title page and footer, update this table every time you publish. In general, people will want you to make change-bar PDFs available (with a filename of ...-diff.pdf). Upload at least the source file and one PDF to Kavi, setting the correct destination folder. This section should be removed before CD publication.] Rev 01 Date nn Mon 2006 Who Hodges What Initial draft. 335 Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 12 of 14 336 Appendix A. Acknowledgments 337 338 339 The editors would like to acknowledge the contributions of the OASIS Security Services Technical Committee, whose voting members at the time of publication were:[@@until Committee Draft publication, use “TBS”; at that time, get list from the SSTC Secretary; sort as for lists on title page] 340 • TBS Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 13 of 14 341 Appendix B. Notices 342 343 344 345 346 347 348 349 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director. 350 351 352 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director. 353 Copyright © OASIS Open 2006. All Rights Reserved. 354 355 356 357 358 359 360 361 This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. 362 363 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. 364 365 366 367 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Draft-hodges-HowToLearnSAML-01 Copyright © OASIS Open 2006. All Rights Reserved. 23 October 2006 Page 14 of 14