Will SAML help secure your Web applications?
Last week, the Organization for the Advancement of Structured Information Standards (OASIS) approved the new Security Assertion Markup Language (SAML), which has been in development for some time. SAML uses XML to enable new Web-based security functions that interoperate across different Web sites, which will help create federated networks.
In April 2002, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security), and in the June 12, 2002, Security UPDATE commentary, I discussed WS-Security to some extent. The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), SAML, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also announced Liberty Alliance, its effort to help develop federated network technology.
According to James Kobielus, senior analyst at Burton Group, "SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products."
Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security Services Technical Committee, said that a major SAML design goal was single sign-on (SSO) capabilities, which would let users authenticate in one domain and access resources in another domain. SAML 1.0 includes that capability. In addition, according to Pato, "Several profiles of SAML are currently being defined that support different styles of SSO and the securing of SOAP payloads."
If you're completely unfamiliar with WS-Security, read Christa Anderson's summary of the technology, which helps explain what it is and what it can do. You'll find her article, "WS-Security Sets Standard for Web Services Transactions."
If you're a Web developer or you administer Web server security, you might be interested in reading about SAML assertions and protocols in a document that outlines the syntax and semantics. Another specification document can help you obtain a better understanding of how SAML works with WS-Security. That document describes how to use WS-Security headers to securely add SAML assertions.
But there's a catch regarding Microsoft's implementation of SAML. In July, "Network World Fusion" reported that Microsoft is implementing SAML 1.0, but only to a limited extent. In the article, Kobielus said, "\[Microsoft is\] not implementing the full suite of SAML assertions and profiles the way others are ... At some point you have to ask what is the purpose, if Microsoft is going to do it their own way." The article points out that Microsoft used the same tactic when the company implemented Kerberos in Windows 2000. To learn more about how Microsoft implements SAML, be sure to read the related Microsoft document, "WS-Security Profile for XML-based Tokens," on the Microsoft Web site.
According to OASIS, Baltimore Technologies, BEA Systems, Computer Associates (CA), Entrust, HP, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun, VeriSign, and other members of the OASIS Security Services Technical Committee developed the SAML OASIS Open Standard.
Many vendors support SAML, and some of you might have begun using the technology before its official approval. Please participate in our Instant Poll this week and tell us whether you use SAML or some other credential technology for your Web applications.