Standards Group Ratifies Upgraded Security Schema

E-business standards consortium OASIS Monday will ratify the Security Assertion Markup Language (SAML) 1.1 as a standard, a source familiar with the group’s plans confirmed.

SAML 1.1 represents an upgrade over SAML 1.0, which was passed by OASIS in November 2002 to define a common method for sharing authorization information between different security systems.

The upgraded standard, which incorporates other industry-standard protocols and messaging frameworks such as XML Signature, XML Encryption and SOAP, features opt-in account linking, simple session management and global log-out capabilities.

Among other security-oriented tasks, SAML can enable single sign-on services, making it an important protocol for groups such as the Liberty Alliance Project, which in April submitted new network identity specifications to an industry standards board for use in future version of SAML.

Ronald Schmelzer, senior analyst with XML and Web services research firm ZapThink, said SAML has the tough task of sewing up disparate security infrastructures because it is handled differently by each company.

“It’s good to hear that SAML 1.1 is passing muster as a specification to help with the critical security and identity management issues of Web Services… security — or rather, the lack thereof — has become the primary roadblock to widespread Web Services adoption,” Schmelzer said. “SAML and other efforts such as the WS-Security family of specifications are aiming to solve these problems at an early stage so that Web Services can become as widely implemented as the rest of us in the industry are hoping. SAML, especially their latest 1.1 release, will become a critical part of that security infrastructure for widespread Web Services adoption.”

SAML was developed by Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard Co., Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun Microsystems, Verisign, and other members of the OASIS Security Services Technical Committee.

The progression of SAML parallels, and some experts say, counters similar efforts by Microsoft, IBM and others to construct their own standard, based on WS-Security. WS-Security defines a set of SOAP extensions which can be used to implement integrity and confidentiality in Web services applications.

The components of WS-Security include WS-Trust, which describes a framework for setting up trust relationships to make secure, interoperable Web services; WS-SecureConversation, which details a framework to establish a secure context for parties that want to exchange multiple messages; and WS-SecurityPolicy, which describes general security policies that can be associated with a service.

WS-Federation, part of the overall effort by IBM and Microsoft to build a Web services security framework, was launched in July.

SAML 1.1’s passage comes even as OASIS members are hard at work on version 2.0 of the specification.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web