On August 19, 2004, the OASIS Security Services Technical Committee released a draft specification of the Security Assertion Markup Language (SAML), Version 2.0. This means the specification is open for public review and comment and will take cognizance of such input before reaching its final form as a recommendation, probably by the end of this year. (The review period lasts for one month, or until September 19.)
SAML works by making assertions about security subjects by system entities. In plainer English, this means that SAML states conditions, makes restrictions, checks validity of requesters, and performs other standard security operations when somebody tries to access a system resource. System entities provide access controls, track and manage authentication, establish and maintain security sessions and contexts, and so forth. A security subject is essentially any object or resource recognizable to a system entity that has associated security properties, access controls, privileges, identities, operations, and so forth.
What makes SAML interesting is that it can use other protocols for transport—to permit distributed requests for and management of security subjects by system entities—including HTTP Post messages, XML-encoded SOAP messages, or other well-documented (and hopefully, secure) message transports. In addition, SAML defines a set of processing rules for handling and responding to such messages. SAML assertions and messages use XML
Enhancements to SAML 2.0 include:
- Session support, for session creation, maintenance, and teardown to maintain unique security contexts.
- Exchange of metadata about assertions and message protocols and formats to ensure better interoperability.
- Various mechanisms for collection and management of security credentials.
SAML 2.0 also incorporates work on identity federation based on specifications contributed by the Liberty Alliance, and has been adopted to greater or lesser extents by that organization, the Internet2 Shibboleth Project, and the OASIS Web Services Security Technical Committee as well. It purports to have benefited by experience with and feedback on SAML 1.0 (November, 2002) and SAML 1.1 (September, 2003), and is implemented in products or services from "…all major Web management vendors…" and "…supported in major application server products…and Web services management and security vendors" (quoted from the Cover Pages story cited in the next paragraph).
As usual, the Cover Pages do an excellent job of covering this announcement and its related subject matter. You'll also find links to numerous related documents there, including specifications for SAML assertions and protocols, bindings, profiles, metadata, authentication context, and more.
Ed Tittel is a writer, trainer, and consultant based in Austin, TX, who writes and teaches on XML and related vocabularies and applications. E-mail Ed at firstname.lastname@example.org.
This was first published in August 2004