OASIS Makes SAML 2.0 Official

OASIS approved version 2.0 of the Security Assertion Markup Language (SAML)
as a standard, providing guidelines for developers to create
single sign-on applications that work across disparate locations on the

Backed by vendors, such as IBM, BEA Systems and Sun Microsystems, SAML 2.0
lets users authenticate data exchanges between an application and a security
system, paving the way for the exchange of Web services
. Web services allow applications to communicate with
each other regardless of boundaries on the Web.

With products built on the standard, users could
quickly and safely sign on to a computer and make a purchase, or conduct
some other type of transaction involving sensitive data without fear of lost
data or a breach.

Prateek Mishra, co-chair of the OASIS Security Services Technical Committee,
said features in SAML 2.0 fill important gaps left by SAML 1.0, which was ratified
in 2002. This includes new attribute profiles and metadata specifications to improve communication among businesses participating in a federation.

While the completion of the WS-Security stack by the OASIS team last year
was a milestone in the history of triggering global Web services on the
Internet, SAML is a complement to those standards and is expected to
facilitate more trusted single sign-on services.

After all, businesses and users can’t have too much security in the wake of
a rash of hack attacks and the spread of corporate governance rules that
demand information protection from corporations.

SAML uses XML protocols, such as SOAP, XML
Signature (XMLSIG) and XML Encryption (XMLENC). It is also supported by and works with federated identity standards from the Liberty Alliance.

Though SAML 2.0 became official Monday, Oracle, Computer Associates and RSA
Security are already shipping products built on the standard. Moreover,
governments are employing it in their computing architectures.

During the RSA Security conference in San Francisco last month, some 13
vendors joined the U.S. General Service Administration (GSA) to demonstrate their support for the GSA’s e-Gov program of conducting secure
transactions, using the SAML 2.0 specification.

While SAML 2.0 is designed to handle the explosion in digital identities
across computer networks and is supported by major Web services purveyors,
Microsoft is conspicuously absent from that list.

Though Microsoft has commented on the SAML 2.0 spec within working groups
and supports it within development tools as part of the Microsoft Developers
Network (MSDN), the software giant still uses Passport, its own single sign-on

However, major partners like eBay and Monster.com have dropped
the technology, citing a desire to develop secure sign-on in house. This
prompted Microsoft to relegate the technology to its own Web sites and opens
the door for the company to perhaps support SAML 2.0.

News Around the Web