SAN FRANCISCO — Single sign-on is finally moving from theory to
practice in the commercial world, thanks to the growing adoption of the
Security Assertion Markup Language (SAML 2.0) specification, a key protocol
for secure digital identity management within Web-based transactions.
Now, the question is whether more technology vendors will support the
markup language in their digital identity platforms.
During the RSA Security conference here, some 13 vendors joined the
U.S. General Service Administration (GSA) to demonstrate their support for
the GSA’s e-Gov program of conducting secure transactions, using the SAML
2.0 specification. The GSA is aiming for full implementation by this summer.
Member companies within industry standards body OASIS (Organization for
the Advancement of Structured Information Standards), which built the SAML
2.0 spec, must still formally approve version 2.0. But the final vote is
academic.
Major technology vendors such as Oracle , Computer
Associates and RSA Security
are already
shipping new identity management products and appliances built on the SAML
2.0 spec or have products in the works that will support the SAML spec.
In the process, more companies and business partners are conducting
high-value transactions with the secure log-in specifications. The markup
language helps trading partners exchange authentication, authorization and
nonrepudiation information in the same manner across different Web sites.
Rob Philpott, a senior consulting engineer at RSA Security, said the
spec’s growth got a leg up from the contributions and support of
Liberty Alliance, another Web services identity management group.
“If you look at the backers of the Liberty Alliance, and the backers of
SAML, they’re one and the same now. It’s not a contest,” Philpott told
internetnews.com. “Identity is central in the digital ID world. You
need to be able to know who the user is. How do we know the person doing the
transaction is who they say they are? We need ways to federate those
identities. You also want to control who has access to that ID information.
SAML 2.0 helps do that.”
The support of the Liberty Alliance, the Sun Microsystems-led initiative
started by Sun as an alternative to Microsoft’s .NET and Passport digital
identity management systems, is key, since the Liberty Alliance is also
working on Web services security and messaging protocols.
Philpott, who heads the OASIS technical committee that wrote the final
SAML 2.0 spec, likened the growing use of SAML 2.0 to the adoption of the
TCP/IP
industry rallied around in order to help make widespread adoption of
Internet technologies possible.
Oracle’s Uppili Srinivasan, a senior director for the company’s identity
management and security products group, said Web services are rapidly
becoming the cornerstone for integration and B2B transactions. “SAML 2.0
will further propagate the use of Web services for federated identity management to securely connect customers, partners and employees with the information they
need.”
But even with support of major tech vendors, such as Sun Microsystems
, Oracle and even IBM
via their
participation in the Liberty Alliance’s approval of the spec, SAML adoption
still needs the blessing of that other major tech company: Microsoft .
“We’re still faced with a situation whereby if you are in an all-Windows
world, you do it the Microsoft way. If you’re in a non-Windows world, you do
it the SAML way,” said John Pescatore, a security analyst with Gartner
. “So we’ll still have a lot of interoperability problems”
without Microsoft’s participation in deploying the spec.
Microsoft has commented on the SAML 2.0 spec within different working
groups and supports it within development tools as part of the
Microsoft Developers Network (MSDN). Plus, it has been warming to SAML in
recent years, especially as it moves away from supporting its Passport
system along with partner companies. For example, eBay
announced in December that it would
no longer support Passport.
Microsoft is a member of the Web Services
Interoperability Organization, another industry group that promotes Web
services interoperability across platforms, operating systems and
programming languages. OASIS members and other working groups said they are
optimistic that the WSI will also build in support for SAML 2.0 the way the
Liberty Alliance has.
Indeed, some competing security specifications from the WSI actually
complement SAML already, Philpott added. “You can use SAML assertions
to describe rich claims about an identity that you can’t do with other
tokens. So you can use SAML within WS security tokens to secure Web
services.”
Philpott said OASIS is now working with the International
Telecommunications Union to see if it will support the SAML 2.0 spec,
and is looking for more ways that different Web services standards
groups can converge on the same markup language for identity management
tokens.
But for now, he added, SAML 2.0 has the benefit of real implementations
to help the market drive adoption, rather than specifications based on
theory.
