Oasis approves SAML 1.1

The Oasis internet standards consortium said that its members ratified SAML (Security Assertion Markup Language) Version 1.1 as...

The Oasis internet standards consortium said that its members ratified SAML (Security Assertion Markup Language) Version 1.1 as an official standard, which will improve interoperability with other web services security standards.

The vote assigns the highest level of Oasis (The Organization for the Advancement of Structured Information Standards) ratification to SAML 1.1 and could open the door for wider adoption of the XML framework for companies using web services to conduct high-value transactions, according to Prateek Mishra of Netegrity, co-chair of the Oasis Security Services Technical Committee.

SAML is a standard that supports so-called "federated identity" systems in which user authentication and authorisation information is securely exchanged between websites within an organisation or between organisations.

SAML enables a user to sign on once to web-enabled services, instead of having to log in repeatedly when they move from one website or web-enabled application to another.

The SAML 1.0 standard, which was approved in November 2002, is widely in use by major corporations including the Boeing and Fidelity Investments.

The latest version of SAML includes a number of updates and fixes for problems identified in the 1.0 standard.

In particular, SAML 1.1 revised guidelines for the use of digital certificates to sign SAML user authentication exchanges, known as SAML assertions.

SAML 1.0 standards were vague about how to sign SAML assertions digitally, creating interoperability problems between different companies implementing web services using the 1.0 standard, Mishra said.

Only a "small group" of companies are interested in using digital certificates to sign SAML assertions. However, that group is growing as companies look for ways to exchange sensitive data with employees and business partners while also verifying that digital transactions took place - a capability known as "non-repudiation," he said.

"I think people are definitely getting interested in using SAML for higher value transactions. Organisations want a signed form of nonrepudiation, and we definitely see that as a step towards wider adoption (of SAML), " Mishra said.

Having handed off the SAML 1.1 standards, Oasis' Security Services Technical Committee is now at work on the SAML 2.0 specification, Mishra said. That version will come with major additions to the standard based on feedback from large companies.

Paul Roberts writes for IDG News Service


Read more on IT strategy