Members of the Oasis interoperability consortium have approved the
Security Assertion Markup Language (SAML) as an Oasis open
standard.
The move paves the way for the XML-based framework to enable secure
single sign-on (SSO) and other security functions for Web services
transactions spanning multiple hosted sites.
Earmarked as crucial for federated identity management within Web
services by The Liberty Alliance, SAML 1.0 is already on the fast
track for implementation among a number of Web access management
and Web services security products.
IT vendors credited with the development of SAML include IBM,
Hewlett-Packard, BEA, Sun, VeriSign, Computer Associates,
Netegrity, RSA, Baltimore, Entrust, Oblix, OpenNetwork, Hitachi and
Quadrasis, as well as other members of the Oasis Security Services
Technical Committee.
According to Oasis (the Organisation for the Advancement of
Structured Information Standards), SAML promises to let users
freely jump from multiple Web sites without repeated manual input
of trusted credentials.
The specification promotes the exchange of authentication and
authorisation materials by making use of Web services standards
such as XML, Soap, and Transport Layer Security (TLS), and
integrates with HTTP or any Web browser.
However, some security experts expect challenges on the business
side of Web services and federated identity will require a great
deal more scrutiny than producing SAML-friendly products and
environments.
"Before we see a whole lot of federation through SAML, you have to
re-examine business agreements, contracts, and make sure language
is right and who's going to accept reliability. How is the trust
relationship going to be set up and managed," said Gerry Gebel, an
analyst for The Burton Group. "There's a little bit of uncertainty
in what that's going to entail and what best practices will emerge
as a template for people to use."