Rush Is on to Back Security Spec

RSA, Netegrity, Baltimore to demo SAML-compliant solutions at show.

As security industry insiders gather this week in San Francisco for the coming-out party for the Security Assertion Markup Language specification, vendors are rushing to include support for the proposed standard in their product lines.

RSA Security Inc. this week will show off a SAML-compliant version of its ClearTrust Web access management software while announcing that it intends to support the specification across its entire product line. RSAs announcement follows similar moves by vendors such as Netegrity Inc. and Baltimore Technologies plc.

The SAML 1.0 specification has been a long time in the works at the Organization for the Advancement of Structured Information Standards, and players in the nascent Web services market have been eager to see if it lives up to expectations. The specification is an XML-based framework for exchanging authentication and authorization data designed to enable secure single sign-on to applications.

Although OASIS released the specification this spring, vendors are just now beginning to work it into their products.

A group of vendors including RSA, Netegrity and Baltimore will be demonstrating their solutions as part of the SAML Interoperability event at Burton Groups Catalyst Conference in San Francisco this week. The demonstration will showcase an online marketplace that will transfer users security credentials and information among affiliated sites once they sign on to any of the sites.

Industry executives see this event as an important milestone on the road toward the broad adoption of Web services.

"SAML fills a void thats been there in Web services," said Ted Kamionek, senior product manager for ClearTrust at RSA, based in Bedford, Mass. "Its very good for a Version 1 [specification]. The important thing is that it allows interoperability among products because customers dont want to be locked into one vendor."

The SAML Interoperability event is the culmination of a series of smaller gatherings on both coasts during which vendors brought their products to designated labs to prove they were SAML-compliant. RSA hosted the East Coast lab, while Sun Microsystems Inc. was the site of the West Coast lab.

The next version of the SAML specification is in the works and will likely address areas that the 1.0 release does not, such as setting up a centralized trust relationship among sites. Currently, the involved sites must already have such a relationship.