The move paves the way for the XML-based framework to enable secure single sign-on (SSO) and other security functions for Web services transactions spanning multiple hosted sites.
Earmarked as crucial for federated identity management within Web services by The Liberty Alliance, SAML 1.0 is already on the fast track for implementation among a number of Web access management and Web services security products.
IT vendors credited with the development of SAML include IBM, Hewlett-Packard, BEA, Sun, VeriSign, Computer Associates, Netegrity, RSA, Baltimore, Entrust, Oblix, OpenNetwork, Hitachi and Quadrasis, as well as other members of the Oasis Security Services Technical Committee.
According to Oasis (the Organisation for the Advancement of Structured Information Standards), SAML promises to let users freely jump from multiple Web sites without repeated manual input of trusted credentials.
The specification promotes the exchange of authentication and authorisation materials by making use of Web services standards such as XML, Soap, and Transport Layer Security (TLS), and integrates with HTTP or any Web browser.
However, some security experts expect challenges on the business side of Web services and federated identity will require a great deal more scrutiny than producing SAML-friendly products and environments.
"Before we see a whole lot of federation through SAML, you have to re-examine business agreements, contracts, and make sure language is right and who's going to accept reliability. How is the trust relationship going to be set up and managed," said Gerry Gebel, an analyst for The Burton Group. "There's a little bit of uncertainty in what that's going to entail and what best practices will emerge as a template for people to use."