OASIS Ratifies SAML Spec

SAML support is already included in the products of many security vendors.

The SAML 1.0 specification on Wednesday got a big boost when OASIS (Organization for the Advancement of Structured Information Standards) approved the specification as a standard.

The approval was something of a formality, considering that many security vendors have already added SAML support to their products. SAML (Security Assertion Markup Language) is one of several intertwined standards emerging in the nascent field of Web services security.

It is an XML framework that enables organizations to exchange users authentication and authorization information. It is being used widely in the deployment of Web single-sign-on solutions.

SAML also plays a big role in the Liberty Alliance Projects specification, which describes an architecture for federated identity management.

"Ratification of SAML by OASIS for the first time provides a ubiquitous security context that allows companies to interoperate securely across business units within the firewall and with their customers and partners outside the firewall," said Don Flinn, chief security architect at Quadrasis, a business unit of Hitachi Computer Products America Inc., Waltham, Mass. "SAML is core to our Quadrasis EASI Security Unifier, a solution to solve enterprise application security integration across the multiple tiers, platforms, and security components of the enterprise. We will continue our efforts to advance the WS-Security and SAML specifications."

The SAML specification was developed by a broad range of security and application vendors, including Baltimore Technologies plc, RSA Security Inc., Oblix Inc. and IBM. Many of these same companies are also involved in advancing the WS-Security specification in OASIS. WS-Security ensures message integrity and confidentiality and is designed to serve as a base upon which high-level security technologies and standards can be layered.

Throw in Microsoft Corp.s .Net Passport identity management service and you have a rats nest of interrelated specifications, standards and technologies.

While there has been a lot of posturing among the companies involved in the various standards efforts, some executives involved in the process say that in the end, the resulting services will be quite similar.

"At the end of the game, they all boil down to the same single-sign-on, cookie management, HTTP redirect technologies," Nand Mulchandani, chief technology officer and co-founder of Oblix, based in Cupertino, Calif., said of the Liberty-Passport debate. "Whatever happens, were ready to handle it."

Oblixs NeoPoint solution already includes SAML support, as do products from RSA, Baltimore, Entrust Inc. and Netegrity Inc. Other vendors, including IBM and Computer Associates International Inc., are incorporating SAML into forthcoming products.

Additional reporting by Darryl Taft