SAML 2.0 Provides Hope for Federated ID

The Liberty Alliance Project's identity federation effort gets a boost from SAML 2.0, but business challenges must be overcome for the architecture to take hold.

The submission of the SAML 2.0 specification this month for consideration as an OASIS standard could bring fundamental changes to the way we federate identity during the next few years.

Security Assertion Markup Language 2.0 unites the defined protocols for single sign-on, delegated administration and policy management of SAML 1.0 with the Liberty Alliance Projects identity federation framework (otherwise known as SAML 1.1). Officials at the alliance and the Organization for the Advancement of Structured Information Standards said they hope SAML 2.0 will become a unified standard for identity federation.

eWEEK Labs believes that open standards for federated identity is good news for IT managers. Open standards will enable enterprises to more easily interact with one another while respecting the privacy and security of shared identity information.

Many companies are already exploring federated identity, which grants one companys employees access to another companys systems without reauthorization. This system works particularly well for companies that collaborate or work with many third parties requiring access to data.

However, as with any technological revolution, it will take a fair amount of work for early-adopting IT managers to iron out all the kinks—particularly business and legal issues. It will also be interesting to see how political issues and rivalries—especially those between the Liberty Alliance and Microsoft Corp., with its rival Passport technology—will be resolved.

/zimages/3/28571.gifMicrosoft says it has no plans to join the Liberty Alliance. Click here to read more.

So far, the most successful building block for federation is SAML, an XML standard that enables the use of single sign-on to log on to affiliated but separate Web sites.

Originally developed within OASIS, SAML 1.0 specifies three components: assertions, protocol and binding. SAML 1.1 defines protocols for single sign-on, delegated administration and policy management.

In 2003 the Liberty Alliance took SAML and added account linking, improved capabilities for establishing trust between organizations and single-sign-out functionality to build a federation framework called ID-FF (Identity Federation Framework). Much of the alliances work on ID-FF—as well as the Internet2 Consortiums work on Shibboleth, another identity management framework—was used to define SAML 2.0.

The Liberty Alliance continues to work with SAML. Earlier this month, the alliance announced the public draft release of ID-WSF 2.0, a second-generation framework for identity-based Web services. The framework was extended to include definitions for how SAML 2.0 assertions can be used to communicate identity among identity-based Web services.

"Successful identity management has become a critical factor in application development and the necessary foundation for deploying all Web services," said George Goodman, president of Liberty Alliances management board and director of Intel Corp.s Visualization and Trust Lab, in a prepared statement released by the alliance. "These specifications provide a blueprint for driving convergence between federated identity and Web services specifications, a necessary step to complete interoperability."

The draft release of ID-WSF 2.0 is part of the Liberty Alliances road map for WSF 2.0 specifications, with this first phase focused on SAML 2.0 support. The alliance is expected to complete the second and third phases—designed to give users the ability to leverage custom Web services, among other things—by the end of this year.

Next page: Gaining ground.