Liberty Supports SAML 2.0 in New Spec

Identity standards group Liberty Alliance has issued a draft of ID-WSF 2.0, its second version of the Web services framework, which supports Security
Assertion Markup Language (SAML) 2.0.

SAML, which standards body OASIS created, maps out single sign-on utilities for creating and exchanging security
information among online partners.

By supporting SAML 2.0, ID-WSF 2.0 will make it easier for developers to
manage identity-based Web services, a distributed computing method that
allows applications to communicate with each other to exchange purchase
orders. Although Web services adoption is still in its infancy, according to
research firms, reliable ID management could pick up the pace.

The Liberty Alliance includes member companies like Sun Microsystems , HP and NTT, all of whom have invested time
and money in bringing Web services to the market.

Paul Madsen, who represents NTT in both Liberty and OASIS, said the SAML 2.0
support is the biggest revision in ID-WSF 2.0. It uses SAML assertions and authentication statements for single-sign on to communicate ID information about all parties in a Web services transaction, from the requester to the service provider, he added.

For instance, when a Web service requester interacts with an ID-based Web
service to access someone’s calendar, the identities of all the parties in
the transaction are carefully parsed. Ideally, users would be able to sign
on from any computing device and use Web services to purchase goods without
fear that their identity and other personal information might be

“SAML 2.0 allows us to express that identity information more elegantly,”
Madsen said.

Other new features in ID-WFS 2.0 allow Web service consumers to receive
automatic notices of changes from the Web services provider. Principal
referencing allows users to create and maintain a list of friends or
colleagues they interact with online.

An intelligent client schema now allows Web services across a variety of
devices and interoperability across systems for new types of strong
authentication mechanisms, including smart cards.

SAML 2.0 support caps off Liberty’s first phase with the spec. The
second and third phases, which are expected to be finished by the end of
2005, will include several new features, such as the ability to customize
Web services.

Many of Liberty Alliance’s members will have representation at the
security-oriented RSA Conference in San Francisco next week.

News Around the Web