SAN FRANCISCO — The Organization for the Advancement of Structured Information Standards (OASIS) Monday demonstrated version 1.0 of Security Assertion Markup Language (SAML), pushing the technology further to being adopted as a Web standard.
Pronounced “Sam-el,” its XML-based framework helps secure transmitted communications over the Internet. SAML is also important because it defines mechanisms to exchange authentication, authorization and nonrepudiation information. That designation holds the key for allowing single sign-on capabilities for Web services.
The standard is now under review by the at-large OASIS membership for consideration. The group said the standard should be approved in the next voting cycle.
“Traditionally, security has been implemented within a single enterprise, but companies are now partnering on the Web to expand the scope and range of their e-Business transactions,” said OASIS member Hal Lockhart. “With SAML, companies can safely exchange information with out requiring partners to change their security platforms. SAML is the common language that defines how different systems can communicate safely.”
SAML is one of several security standards being developed at OASIS. Other specifications include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data, SPML for exchanging provisioning information, and XrML for rights management.
The standard is taking on added significance at the Catalyst Conference 2002 here with the announcement that bitter rivals Sun Microsystems and Microsoft
are both pledging support for the language.
Often at odds with each other, Microsoft and Sun have developed independent XML and SOAP-based Web services platforms. The proclamation by both companies is a signal by some that competing Web services platforms such as Microsoft’s Passport and the Sun-sponsored Liberty Alliance program could find some common interoperability ground.
The Liberty Alliance released version 1.0 of its standard at the conference minutes before OASIS made its announcement.
“Out of the box, SAML will not be the answer,” said Oblix CTO and co-founder Nand Mulchandani. “But I see no reason why it couldn’t provide a way for the two technologies to work together.”
Oblix, along with eleven other vendors, including ePeople, IBM , Novell, Sun Microsystems, Entegrity Solutions and RSA Security that said they would provide native support for the standard.
OASIS said SAML is not an alternative to the WS-Security standard, which is heavily backed by Microsoft, along with IBM and VeriSign. The trio submitted its specs to OASIS last month. Sun, who initially had shown little interest in the standards, actually threw in its support at the last minute.
“SAML is an important security interoperability initiative,” said Burton Group senior analyst James Kobielus. “Most Web access solution vendors have committed resources to the emerging standard and are in the process of implementing SAML 1.0 in the next releases of their products. The OASIS SAML interoperability demonstration proves the standard’s viability in practice.”
The next step for SAML is to add in profiling for wireless platforms such as cell phones. An OASIS representative said to authorize genuine interoperability would require another step, but is not far away from becoming a reality.
The Liberty Alliance 1.0 designation uses SAML for its wireless compatibility capacity, but it is not based on the language.
