SAML 1.0 specification gets a thumbs-up

Members of the OASIS interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.

Earmarked as crucial for federated identity management within Web services by The Liberty Alliance, SAML 1.0 is already on the fast track for implementation among a number of Web access management and Web services security products currently available to customers.

IT vendors credited with the development of SAML include IBM Corp., Hewlett-Packard Co., BEA Systems Inc., Sun Microsystems Inc., VeriSign Inc., Computer Associates International Inc., RSA Security Inc., Baltimore Technologies PLC, Entrust Inc., Oblix Inc., OpenNetwork Technologies Inc., Hitachi Ltd., and Quadrasis, as well as other members of the OASIS Security Services Technical Committee.

According to OASIS (Organization for the Advancement of Structured Information Standards) officials, SAML promises to let users freely jump from multiple Web sites without repeated manual input of trusted credentials. The specification promotes the exchange of authentication and authorization materials by making use of Web services standards such as XML, SOAP, and TLS (Transport Layer Security), and integrates with HTTP or any Web browser.

However, some security experts expect challenges on the business side of Web services and federated identity will require a great deal more scrutiny than producing SAML-friendly products and environments.

"Before we see a whole lot of federation through SAML ... you have to reexamine business agreements, contracts, and make sure language is right and who's going to accept reliability. How is the trust relationship going to be set up and managed," said Gerry Gebel, an analyst for The Burton Group Corp. in Salt Lake City. "There's a little bit of uncertainty in what that's going to entail and what best practices will emerge as a template for people to use."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Baltimore TechnologiesBEABEA SystemsBurton GroupCA TechnologiesEntrustHewlett-Packard AustraliaHitachi AustraliaIBM AustraliaLiberty AllianceOblixOpenNetworkOpenNetwork TechnologiesOrganization for the Advancement of Structured Information StandardsRSA, The Security Division of EMCSun MicrosystemsVeriSign Australia

Show Comments