SAML Apps Before Their Time?

Single-sign-on apps may arrive before the spec, causing interoperability problems down the road.

Customer demand for single-sign-on security for B2B sites is pushing vendors to deliver applications months ahead of specification approval—even at the risk of creating weak products now and a weaker spec later.

The product push comes even as many in the security and e-commerce industry look to SAML (Security Assertion Markup Language) to provide the security piece long absent from the business-to-business puzzle.

SAML, which has been under development since January, will allow users to carry their authentication and entitlement credentials with them as they surf through partner sites.

"The idea [of SAML-based applications] is on target, but it does give me some concern that [vendors are] coming out this soon," said Michael McCormick, system architect at Wells Fargo & Co., of San Francisco, a user of Netegrity Inc.s SiteMinder access management product. "Theres a potential risk that SAML could change in the time between when they deliver their application and the time SAML is complete. All you could do is use it in a closed Netegrity environment."

To that end, Netegrity last week at its user conference in Boston announced plans to launch its AffiliateMinder in the second half of the year. The application relies on SAML to provide common services such as access management, entitlement and authentication across multiple-affiliated Web sites.

The SAML specification is being developed by a technical committee at the Organization for the Advancement of Structured Information Standards, and the final specification could be confirmed as early as late next month. It includes some elements of AuthXML and is based on Security Services Markup Language, Netegritys own language. However, it wont achieve standard status until at least the fourth quarter.

At its best, SAML will let companies that use different security solutions exchange authentication and authorization data, something that isnt possible right now. It is designed to work with HTTP, SMTP, FTP and several XML (Extensible Markup Language) frameworks, such as SOAP (Simple Object Access Protocol) and ebXML.

However, its possible that an application based on an early version of the SAML spec will not fully interoperate with one that supports a later version.

"We all see the importance of this effort," said Enrique Salem, vice president of products and technology at Oblix Inc., an access management vendor based in Cupertino, Calif. "No one vendor will have all of the customers, so we have to interoperate. Were going to wait until the final spec is finished."

To some, the deployment of early SAML implementations also brings to mind problems with other vendor-driven protocols, such as Cisco Systems Inc.s proprietary Wired Equivalent Privacy, now part of the 802.11b wireless LAN standard. The protocol, which was never submitted for peer review, remains riddled with security problems, highlighting the conflict of interest inherent when a vendor has a vested interest in protocol approval.

Netegrity CEO Barry Bycoff acknowledged that the Waltham, Mass., vendor will, at least, have to update its product when the final spec is issued but said that its in the companys best interest to get to market first.