Oasis approves SAML 1.1


Oasis approves SAML 1.1

The Oasis internet standards consortium said that its members ratified SAML (Security Assertion Markup Language) Version 1.1 as an official standard, which will improve interoperability with other web services security standards.

The vote assigns the highest level of Oasis (The Organization for the Advancement of Structured Information Standards) ratification to SAML 1.1 and could open the door for wider adoption of the XML framework for companies using web services to conduct high-value transactions, according to Prateek Mishra of Netegrity, co-chair of the Oasis Security Services Technical Committee.

SAML is a standard that supports so-called "federated identity" systems in which user authentication and authorisation information is securely exchanged between websites within an organisation or between organisations.

SAML enables a user to sign on once to web-enabled services, instead of having to log in repeatedly when they move from one website or web-enabled application to another.

The SAML 1.0 standard, which was approved in November 2002, is widely in use by major corporations including the Boeing and Fidelity Investments.

The latest version of SAML includes a number of updates and fixes for problems identified in the 1.0 standard.

In particular, SAML 1.1 revised guidelines for the use of digital certificates to sign SAML user authentication exchanges, known as SAML assertions.

SAML 1.0 standards were vague about how to sign SAML assertions digitally, creating interoperability problems between different companies implementing web services using the 1.0 standard, Mishra said.

Only a "small group" of companies are interested in using digital certificates to sign SAML assertions. However, that group is growing as companies look for ways to exchange sensitive data with employees and business partners while also verifying that digital transactions took place - a capability known as "non-repudiation," he said.

"I think people are definitely getting interested in using SAML for higher value transactions. Organisations want a signed form of nonrepudiation, and we definitely see that as a step towards wider adoption (of SAML), " Mishra said.

Having handed off the SAML 1.1 standards, Oasis' Security Services Technical Committee is now at work on the SAML 2.0 specification, Mishra said. That version will come with major additions to the standard based on feedback from large companies.

Paul Roberts writes for IDG News Service


Related Topics: IT strategy, VIEW ALL TOPICS

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy