Microsoft follows Liberty Alliance in SAML support

One day after the Liberty Alliance announced the first version of its specification and lined up behind a key emerging protocol for sharing user authentication and authorization information, Microsoft Corp. on Tuesday outlined its plans to support the same protocol in the next version of its operating system.

While Microsoft stopped short of joining the Liberty Alliance, it said it would deliver support for the Security Assertion Markup Language (SAML) as an add-on to the Windows.Net operating system some time after the operating system is released, which is slated for the end of the year.

Microsoft plans to support SAML as but one of several security tokens used to pass authentication and authorization data. It currently supports Kerberos and X.509 certificates, but it is looking for an elegant way to support federated identity management over the Web, and SAML is emerging as the protocol of choice.

Microsoft, along with IBM Corp. and VeriSign Inc., created a specification called WS-Security, which they recently submitted to the Organization for the Advancement of Structured Information Standards (OASIS). The company said it would use WS-Security as the envelope to pass SAML identity data.

Microsoft has already announced WS-Security support in TrustBridge, a technology to federate separate and distinct deployments of Active Directory. It also said it would incorporate Kerberos into its Passport single-sign-on technology. Both those technologies are slated for next year.

Now SAML will join the lineup and be incorporated with the Roles Authorization Manager that Microsoft is building into .Net server. The authorization manager is a set of APIs that can be used by Web applications to check policies and determine users' access privileges based on their defined roles. The policies and roles will be stored in Active Directory or in a flat XML file.

"We will add the ability to create and pass SAML assertions from the authorization manager," says Praerit Garg, group product manager for Microsoft. "It's primarily for authorization, but it also is authentication."

But Garg says more work needs to be done around standardizing the vocabulary used to describe roles and privileges, and for controlling who can make what type of security assertions in order to federate identity and access control information among unlike systems. He says that is an issue the entire industry must work on.

But critics say Microsoft is not deploying the entire SAML 1.0 specification and that users should investigate just what they are getting from Microsoft.

"Microsoft says it is supporting SAML, but they are not implementing some pieces of the 1.0 specification," says Jim Kobielus, an analyst with the Burton Group. "They are not implementing the full suite of SAML assertions and profiles the way others are." For example, Microsoft will not support a method of passing SAML assertions called Browser/Artifact, the most simplistic way to use SAML.

"At some point you have to ask what is the purpose, if Microsoft is going to do it their own way," Kobielus says.

Microsoft acted similarly when it implemented Kerberos in Windows 2000, but it eventually made public its implementation of the security specification.

Garg confirmed Microsoft is not supporting the entire specification, but said the missing pieces will be added by third-party products such as Web access management software that supports Browser/Artifact.

He also said he would have to wait until he reads the Liberty Alliance specification to determine if Microsoft and the Liberty Alliance are on the same page with SAML. He says there may be some difference, given that Liberty is more consumer-focused and that Microsoft is taking a corporate approach.

The news comes a day after the Liberty Alliance announced version 1.0 of a specification that outlines a single-sign-on technology based on SAML that allows a user to authenticate at one network access point and use that identity to traverse other sites both internal and external. The so-called federated identity management can be used in electronic commerce and Web services for business-to-consumer and business-to-business interaction, although the initial focus is on the consumer side.

The Liberty Alliance is using SAML as its base specification for passing authentication and authorization data. It will add a set of policies that govern how the data can be used.

Version 1.0 of the specification includes an "opt-in" provision that allows users to choose which service providers they want to link through their accounts. The specification also has a global log-out feature that lets a user sign out of all their linked accounts at one time.

Other features include a simplified sign-on for linked accounts that lets users log in once and move freely among linked accounts, an authentication context which determines what kind of authentication will be used for use log-ins, and a client feature that supports both fixed and wireless devices.

The Liberty Alliance, a diverse group that includes Sun Microsystems, Nokia, MasterCard and American Express, also added 26 new members on Monday.

Companies such as Entrust, NeuStar, Novell, Sun, Oblix, Netegrity and RSA Security said they would ship SAML-compliant products by the end of the year.

Novell in particular said it would incorporate the Liberty Alliance specification into its eDirectory and iChain access management software as part of its Project Saturn to create a single-sign-on infrastructure for internal corporate networks and extranets.

Join the newsletter!

Error: Please check your email address.

More about American Express AustraliaBurton GroupIBM AustraliaINSLiberty AllianceMastercardMicrosoftNeuStarNokiaNovellOblixOrganization for the Advancement of Structured Information StandardsProvisionRSA, The Security Division of EMCSaturn

Show Comments

Market Place