Early last month, a key element in using Web services for business applications reached a milestone when SAML 1.0 was released as a standard by the XML consortium OASIS, or Organization for the Advancement of Structured Information Standards.
Security Assertion Markup Language, which is based on XML, provides a framework for authentication and authorization in Web services—something that has been sorely missing. SAML also makes it possible to provide single-sign-on capabilities, one reason that it is a core technology behind the Liberty Alliances ID management effort.
Although not all security and access control applications may be up to the final standard specification, many already incorporate some form of SAML support. This isnt surprising, given that the SAML working group comprises representatives from most of the leading authentication vendors.
However, even if your business isnt using one of these applications, incorporating SAML into your Web services is not difficult. eWeek Labs found the SAML specification to be simple and straightforward. If you can write an XML-based Web service, you can easily define authentication using SAML.
In its most basic form, SAML associates an identity (such as an e-mail address or a directory listing) with a subject (such as a user or system) and defines the access rights for this, subject to a specific domain.
One of the biggest strengths of SAML is how well it can interoperate with any kind of system. For example, when it comes to authentication, SAML supports almost everything, from passwords to hardware tokens to public keys to secure certificates. SAML also has built-in support for XML signatures, making it possible to handle not only authentication but also message integrity and nonrepudiation of the sender.
The defined transport mech- anism for SAML is Simple Object Access Protocol over HTTP—no surprise, given the standards focus on Web services. However, because of its XML roots, SAML can be easily bound to any other transport mechanism.
SAML can handle single-sign-on capabilities because a SAML authentication authority can receive and send authentication assertions. This means that as a user authenticates and takes actions in a domain, the SAML authority is aware of past authorizations and assertions.
One potential weakness in SAML is the lack of backing by Microsoft Corp., which has so far focused on other methods for Web services single sign-on, such as Passport. However, given SAMLs open nature, Microsoft shops should have little difficulty incorporating it into their .Net Web service applications.
To read the SAML specification document, go to www.oasisopen.org/committees/security/docs/cs-sstc-core-01.pdf.
East Coast Technical Director Jim Rapoza can be reached at [email protected]