RealTime IT News

OASIS Makes SAML 2.0 Official

OASIS approved version 2.0 of the Security Assertion Markup Language (SAML) as a standard, providing guidelines for developers to create single sign-on applications that work across disparate locations on the Internet.

Backed by vendors, such as IBM, BEA Systems and Sun Microsystems, SAML 2.0 lets users authenticate data exchanges between an application and a security system, paving the way for the exchange of Web services . Web services allow applications to communicate with each other regardless of boundaries on the Web.

With products built on the standard, users could quickly and safely sign on to a computer and make a purchase, or conduct some other type of transaction involving sensitive data without fear of lost data or a breach.

Prateek Mishra, co-chair of the OASIS Security Services Technical Committee, said features in SAML 2.0 fill important gaps left by SAML 1.0, which was ratified in 2002. This includes new attribute profiles and metadata specifications to improve communication among businesses participating in a federation.

While the completion of the WS-Security stack by the OASIS team last year was a milestone in the history of triggering global Web services on the Internet, SAML is a complement to those standards and is expected to facilitate more trusted single sign-on services.

After all, businesses and users can't have too much security in the wake of a rash of hack attacks and the spread of corporate governance rules that demand information protection from corporations.

SAML uses XML protocols, such as SOAP, XML Signature (XMLSIG) and XML Encryption (XMLENC). It is also supported by and works with federated identity standards from the Liberty Alliance.

Though SAML 2.0 became official Monday, Oracle, Computer Associates and RSA Security are already shipping products built on the standard. Moreover, governments are employing it in their computing architectures.

During the RSA Security conference in San Francisco last month, some 13 vendors joined the U.S. General Service Administration (GSA) to demonstrate their support for the GSA's e-Gov program of conducting secure transactions, using the SAML 2.0 specification.

While SAML 2.0 is designed to handle the explosion in digital identities across computer networks and is supported by major Web services purveyors, Microsoft is conspicuously absent from that list.

Though Microsoft has commented on the SAML 2.0 spec within working groups and supports it within development tools as part of the Microsoft Developers Network (MSDN), the software giant still uses Passport, its own single sign-on software.

However, major partners like eBay and Monster.com have dropped the technology, citing a desire to develop secure sign-on in house. This prompted Microsoft to relegate the technology to its own Web sites and opens the door for the company to perhaps support SAML 2.0.