The recent approval of the Security Assertions Markup Language 2.0 security standard by OASIS, and the Liberty
Alliance's announcement that it was undertaking SAML 2.0 interoperability testing, means that the standard has gotten the blessing of the major standards-setting bodies.
This bodes well for the future of Web services, because security and authentication issues have a difficult time getting Web services acceptance. The increasing acceptance of SAML means that the Holy Grail of authentication -- so-called "single sign-on" -- is one step closer to becoming a reality.
In this second part of a two-part column, we'll look at the implications of the growing acceptance of SAML 2.0, and why the standards-setting bodies believe that it's a great leap forward for Web services.
First a brief refresher course. XML-based SAML is an authentication and authorization method that provides a single sign-on so that people can be authenticated once and then be able to access multiple Web services. It allows sites to accept authenticated users from other sites. Version 2.0 added several important features to make universal single sign-on even more useful than previous versions.
The core of SAML's usefulness has to do with identities, and how those identities can be used. And 2.0 represents a big step forward in how identities can be used, especially as how it relates to Web services, said Prateek Mishra, of Principal Identity and a co-chairman of OASIS Security Services Technical Committee.
"On the Internet, there is a division between where identities reside, and where services reside," he said, and this makes it more difficult for people to use multiple Web services.
"You have one identity at your employer, another at your bank, another at a portal, another at eBay and so on," he explained. "And you also have thousands of service providers who can be providing you with services. SAML is the bridge that allows some of my identities to be reused, so, for example, my banking identity could be used by third parties providing services to my bank."
This means more than simply eliminating multiple sign-ons. The standard also allows businesses to create rules about what information in each identity can and can't be shared with each individual partner -- and also gives that power to the user as well, when applicable.
This may sound simple, but it has significant implications, both for technology and for business. Mishra said, "You cannot build a scalable Internet without a protocol like SAML 2.0, because without it, identity is siloed in too many different places. It addresses a very basic gap that exists at the heart of the Internet."
Rob Philpott, of RSA Security and a co-chairman OASIS Security Services Technical Committee, added that SAML 2.0 comes at a particularly important time because "the number of identities we have are exploding," and there are an increasing number of regulatory requirements that govern privacy and how data can be used. Without a standard like SAML 2.0 that allows businesses to create automated rules to comply with those regulations, companies would soon become ensnared in a costly red tape.
SAML 2.0 will also reduce costs for service providers, making it more cost-efficient for them to provide their services to multiple partners. Currently, when a provider signs a contract to offer services to a corporation's employees -- managing a 401(k) program, for example -- that provider has to take on the cost of managing each individual's identity.
This is a sizable and costly task, noted Roger Sullivan, Oracle vice president for business development of identity management and a Liberty Alliance board member. It means importing all the data, and then managing each user's password and username, with all of the costly help desk support that is required.
With SAML 2.0, none of that is necessary. SAML will allow the corporation to manage the identities, and those identities can then be automatically exchanged with service providers, drastically cutting costs.
As any developer knows, creating a standard is one thing, but actually having products adequately support that standard is another thing entirely. Not uncommonly, vendors claim to support standards, but in fact they may only support them partially.
Without interoperability, though, SAML 2.0 won't serve much use. The odds of two business partners using the exact same mix of development and other tools are extremely unlikely. Organizations need to know that when they build their end of the SAML interface, it can properly talk to their partners.
To that end, the Liberty Alliance has begun interoperability testing, to ensure that products that claim to adhere to SAML 2.0 actually do so. Sullivan said approximately 30 products from 15 vendors have already passed the tests, with more on the way. To pass the test, a product has to interoperate with SAML 2.0 implementations from at least two other vendors that have already passed the tests. For details, check out www.projectliberty.org.
What the future holds
SAML 2.0 was only recently approved, so its benefits have yet to be known. But Philpott expects that there will be a growing and significant number of Web services deployments using SAML 2.0. And everyone interviewed for this column believes that eventually, the authentication it provides will be built into many, if not most, of the Web services projects that involve partnering, security and identity.
About the Author
Preston Gralla is an expert on Web services and is the author of more than 20 books, including How the Internet Works. He can be reached at email@example.com.