Sign-On-And-Go Security

Even as Microsoft and Sun Microsystems duel to build competing identification systems, the technology exists today to deploy a single sign-on Web services marketplace.

The technology exists today to deploy a single sign-on Web services marketplace, even as Microsoft and Sun Microsystems duel to build competing identification systems.

Security Assertion Markup Language is an almost completed standard by the Organization for the Advancement of Structured Information Standards, a nonprofit consortium for the creation of interoperable industry standards. Based on XML, SAML allows a single sign-on for Web applications across the multitude of Web access management platforms available today.

Leaders in Web access management - such as Access360, Baltimore Technologies, Entrust, Hewlett-Packard, IBM, Netegrity, Oblix and VeriSign - have committed to the standard. When its ratified early next year, these companies can incorporate SAML in their software, enabling an interoperable infrastructure for identity and access management.

Many of them have already incorporated early versions of the standard in the software they sell today, with free upgrades promised when SAML is complete.

SAML will play a key part in Suns own authentication process, but a spokeswoman said she couldnt speak for the entire alliance of partners that Sun announced last week. Microsoft is not actively working on SAML, but recently started participating in discussions on how to make it work with its Passport authentication process.

Examples of how the technology could be used include business-to-employee portals that provide employees access to their health benefits, time sheets, expense reports and 401(k) portfolios, all using a single user profile; and a business-to-consumer portal in which a credit card company partners with several online retailers to allow customers to shop from site to site without ever having to re-enter their ID numbers.

"The value to the end user is convenience," said Enrique Salem, Oblixs senior vice president of products and technology.

SAML will allow companies to know a customer has permission to conduct business on various participating networks, said Bill Bartow, Netegritys vice president of marketing. "SAML is the language used to describe this communication."

SAML does have obstacles. No. 1 is that Microsofts Passport and Windows platforms so far dont support it. Instead, Microsoft is using Kerberos - a standard protocol developed by the Massachusetts Institute of Technology that runs on the Unix platform - as its authentication mechanism.

A Microsoft representative would not comment on SAML. But Doug Bayer, director of Windows Security, attended the last SAML meeting in August, when the committee discussed integrating Kerberos and SAML.

"I think its very clear to everyone in the SAML committee that interoperability with the Microsoft way of doing things is a requirement in some form or another," said Irving Reid, Baltimore Technologies principal technical architect.

Frank Prince, a Forrester Research senior analyst, agreed that Microsoft will be a critical partner in SAMLs success. "In their e-marketplace, they own [access to] all the software, so they dont really need SAML yet," Prince said. "Microsoft is a market unto itself."