RealTime IT News

Liberty Supports SAML 2.0 in New Spec

Identity standards group Liberty Alliance has issued a draft of ID-WSF 2.0, its second version of the Web services framework, which supports Security Assertion Markup Language (SAML) 2.0.

SAML, which standards body OASIS created, maps out single sign-on utilities for creating and exchanging security information among online partners.

By supporting SAML 2.0, ID-WSF 2.0 will make it easier for developers to manage identity-based Web services, a distributed computing method that allows applications to communicate with each other to exchange purchase orders. Although Web services adoption is still in its infancy, according to research firms, reliable ID management could pick up the pace.

The Liberty Alliance includes member companies like Sun Microsystems , HP and NTT, all of whom have invested time and money in bringing Web services to the market.

Paul Madsen, who represents NTT in both Liberty and OASIS, said the SAML 2.0 support is the biggest revision in ID-WSF 2.0. It uses SAML assertions and authentication statements for single-sign on to communicate ID information about all parties in a Web services transaction, from the requester to the service provider, he added.

For instance, when a Web service requester interacts with an ID-based Web service to access someone's calendar, the identities of all the parties in the transaction are carefully parsed. Ideally, users would be able to sign on from any computing device and use Web services to purchase goods without fear that their identity and other personal information might be compromised.

"SAML 2.0 allows us to express that identity information more elegantly," Madsen said.

Other new features in ID-WFS 2.0 allow Web service consumers to receive automatic notices of changes from the Web services provider. Principal referencing allows users to create and maintain a list of friends or colleagues they interact with online.

An intelligent client schema now allows Web services across a variety of devices and interoperability across systems for new types of strong authentication mechanisms, including smart cards.

SAML 2.0 support caps off Liberty's first phase with the spec. The second and third phases, which are expected to be finished by the end of 2005, will include several new features, such as the ability to customize Web services.

Many of Liberty Alliance's members will have representation at the security-oriented RSA Conference in San Francisco next week.