OASIS on Monday ratified the long-anticipated Security Assertion Markup Language (SAML) Version 2.0, formalizing
a key standard for federated security.
Version 2.0 adds key functions to create and manage federated networks that share preexisting repositories of identity information. It unifies the protocols defined in SAML 1.0, such as single sign-on, with work the Liberty Alliance Project did through its identity federation framework.
SAML, which enables the secure exchange of authentication, attribute and authorization information across security boundaries, leverages core Web services standards, including XML, SOAP, Transport Layer Security, XML Signature and XML Encryption.
"Prior to SAML, there was no XML-based standard that enabled the exchange of security information between a security system and an application," said John Pescatore, analyst at Stamford, Conn.-based Gartner Inc. "SAML also specifies a Web services-based request/reply protocol for exchanging these statements."
Last month, the Liberty Alliance released the public draft of its Identity Web Services Framework 2.0 specification, which was extended to support the SAML 2.0 specification. Now developers can use SAML assertions to communicate identity information, such as authentication status, user attributes and authorization decisions, between identity-based Web service transactions.
"SAML is fast becoming the dominant Web services standard for federating 'identity as a service,'" said Eugene Kuznetsov, chief technology officer and chairman of Cambridge, Mass.-based DataPower Technology. "The 2.0 version of SAML and the very successful 12-vendor OASIS SAML Interoperability Lab at the RSA conference are further proof of SAML's maturity."
In February, at least 12 vendors teamed up with the U.S. General Service Administration E-Gov E-Authentication Initiative to demonstrate the interoperability of SAML 2.0 using a combination of Web single sign-on and single logout scenarios.
In separate statements, BEA Systems Inc., IBM, Oracle Corp., SAP AG and Sun Microsystems Inc. said they support the latest iteration of the standard.
SAML 2.0's approval comes on the heels of the ratification of the Extensible Access Control Markup Language (XACML) 2.0, which defines an XML schema for representing authorization and entitlement policies. SAML and XACML share a common domain model and complement one another.
While SAML enables the secure exchange of identity information across security boundaries, XACML leverages this information to determine access to resources using a policy enforcement point and a policy decision point.
"SAML 2.0 is the underpinning of identity-based integration," said Miko Matsumura, vice president of marketing at Cupertino, Calif.-based Infravio Inc. "As Web services applications integrate with business processes (through standards like BPEL), securely managed identities become endpoints for orchestration and workflow."