SAML frames ID debate

A consortium of vendors will rally behind SAML (Security Assertion Markup Language) during a public demonstration of the...

A consortium of vendors will rally behind SAML (Security Assertion Markup Language) during a public demonstration of the specification this week, in their determination to agree on a unified approach to Web services interoperability.

Taking centre stage at The Burton Group's Catalyst 2002 conference in San Francisco this week, a range of vendors, including IBM/Tivoli Systems, Novell, Netegrity, ePeople, RSA Security, and Oblix, will use the event to announce plans to implement the authorisation aspects of SAML in upcoming products.

SAML is expecting official ratification by the Organization for the Advancement of Structured Information Standards by November, according to industry sources.

Version 1.0 of SAML is designed to facilitate the exchange of authentication information among Web access management and security products within a Web browser profile and represents a competing alternative to Microsoft's Kerberos and Passport SSO (single sign-on) technologies.

The cross-enterprise Web SSO demonstration event at the conference will highlight the Identity and Access Management Federation, which features companies implementing fellow vendors' Web access management products to share, authenticate, attribute, and authorize information. A second demonstration will provide authentication at portal sites and then access Web resources managed by other federated content sites, according to Burton officials.

SAML's rising popularity among both vendors and enterprises comes at a time when the Liberty Alliance and Microsoft fight to establish competing federated SSO systems for facilitating e-commerce.

Today the Liberty Alliance will lift the cover off its long-awaited SSO standard. It follows Microsoft's announcement last week of a deal with Arcot Systems to enable users of its system to make online transactions using Visa and MasterCard, both of which are Liberty Alliance members.

The developments highlight the battle between the Microsoft and Liberty Alliance camps to establish a single authentication standard. Noting that certain parties want the Liberty Alliance's standard "to fail no matter how great it is", Mike Neuenschwander, senior analyst at Burton, said he expects the sparks to fly as cross-development of standards becomes more apparent.

"SAML is becoming part of Liberty, and you have Microsoft Kerberos evolving into Passport," Neuenschwander said. "Suddenly you have these two well-publicised, much more dramatic ships that will pass in the night at Catalyst." In fact, Neuenschwander said that Liberty's first specification phase would rely "quite heavily" on aspects of SAML.

Neuenschwander said that most vendors are being forced to support Microsoft .net but secretly want the Liberty Alliance to succeed.

"Right now we're seeing more of a war of words. [But] for the [IT] architect person, it has a lot of ramifications ... how these technologies will affect them down the road," Neuenschwander added.

IBM will announce its support of SAML in the next version of its Tivoli Access Manager, due in the first half of 2003, according to Leo Cole, director of product management at Tivoli. Cole said IBM has no immediate plans to join the Liberty Alliance, nor to support its SSO specification.

RSA Security is following suit, announcing this week that it plans to implement SAML across its product lines during the next quarter and in the early part of 2003, starting with its Web SSO offering RSA ClearTrust, said Ted Kamionek, senior product manager of the Web access management division at RSA.

Kamionek said RSA also plans to announce a Liberty Alliance-inspired product by the end of this year. Likewise, Sun Microsystems has already announced plans to offer technology based on the Liberty specification shortly after it is released.

A prospective member of the Liberty Alliance, Oblix will also announce its SAML-ready NetPoint 6.0 product at Catalyst. Its solution also features integration with Windows .net server and Microsoft IIS (Internet Information Server), said Nand Mulchandani, CTO and co-founder of Oblix.

Novell intends to position its directory strength as a Web services authentication "hub" and ill unveil its "Project Destiny" road map at Catalyst.

Destiny, which will focus on Web services, dynamic identity, intelligent infrastructure and federated trust, will consist of several directory services releases during the next 18 months, starting with its UDDI (Universal Description, Discovery, and Integration) server later this year.

Netegrity will announce two new products: Identity Minder, which adds workflow integration to identity management processes; and Transaction Minder, which offers policy-based authentication and authorisation for Web services.

Collaborative CRM vendor ePeople will announce the availability of the ePeople SSO adapter based on SAML standards.

Read more on Antivirus, firewall and IDS products