Second-generation XML security preview: SAML

On August 19, 2004, the OASIS Security Services Technical Committee released a draft specification of the Security Assertion Markup Language (SAML), Version 2.0. This means the specification is open for public review and comment and will take cognizance of such input before reaching its final form as a recommendation, probably by the end of this year. (The review period lasts for one month, or until September 19.)

SAML works by making assertions about security subjects by system entities. In plainer English, this means that SAML states conditions, makes restrictions, checks validity of requesters, and performs other standard security operations when somebody tries to access a system resource. System entities provide access controls, track and manage authentication, establish and maintain security sessions and contexts, and so forth. A security subject is essentially any object or resource recognizable to a system entity that has associated security properties, access controls, privileges, identities, operations, and so forth.

What makes SAML interesting is that it can use other protocols for transport—to permit distributed requests for and management of security subjects by system entities—including HTTP Post messages, XML-encoded SOAP messages, or other well-documented (and hopefully, secure) message transports. In addition, SAML defines a set of processing rules for handling and responding to such messages. SAML assertions and messages use XML for encoding, and employ XML namespaces to identify and rationalize markup an

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT XML National Weather Service policy supports XML XML and democracy at work: The Election Markup Language (EML) For interesting interface access, check out Xamlon Royalty-free, revolutionary UBL Altova strikes again with MapForce 2005 Beating the RSS crunch with aggregation/bloglines Voice, speech, SIP, and XML: ECMA-269 Microsoft Baseline Security Analyzer and XML An open source, native XML database: dbXML 2.0 XHTML IS a workable markup language, darn it! XML Developer Use the soapUI software tool to tame WSDL WSDL 2.0, new messaging for Web services Using RELAX NG For data integration Efficient XML Interchange tackles data verbosity XML to DDL imports, synchronizes database schemata The basics of MathML 3.0 Migrating to XSLT 2.0 What's up with XML 2.0? Say hello to XPath 2.0 Podcasting software covers many bases SAML UML-based SoaML attacks SOA services modeling issues IBM, HP qualify on SAML 2.0 SOA governance, security concerns drive XACML interop Microsoft, Liberty join for Web services identity interop OASIS begins work on WS-Federation Web 2.0 lacks the business impact of SOA, Burton warns Eclipse and Novell join in Web service security effort Liberty reaches out to open source SAML declares victory, closes in on a billion IDs WS-Security 1.1 approved SAML Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

d external references. A special binding specification for SAML governs how SAML messages may be built into applications, and a special profiles specification for SAML provides baseline profiles that demonstrate how SAML assertions and protocols may be used for specific purposes and to permit multiple applications that use SAML to work together.

Enhancements to SAML 2.0 include:

SAML 2.0 also incorporates work on identity federation based on specifications contributed by the Liberty Alliance, and has been adopted to greater or lesser extents by that organization, the Internet2 Shibboleth Project, and the OASIS Web Services Security Technical Committee as well. It purports to have benefited by experience with and feedback on SAML 1.0 (November, 2002) and SAML 1.1 (September, 2003), and is implemented in products or services from "…all major Web management vendors…" and "…supported in major application server products…and Web services management and security vendors" (quoted from the Cover Pages story cited in the next paragraph).

As usual, the Cover Pages do an excellent job of covering this announcement and its related subject matter. You'll also find links to numerous related documents there, including specifications for SAML assertions and protocols, bindings, profiles, metadata, authentication context, and more.

Ed Tittel is a writer, trainer, and consultant based in Austin, TX, who writes and teaches on XML and related vocabularies and applications. E-mail Ed at etittel@lanw.com.