Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Microsoft supports SAML, sort of

Related linksToday's breaking news
Send to a friendFeedback

Kobielus archive

Microsoft has taken a small step in the right direction by agreeing to implement Security Assertion Markup Language 1.0 in its upcoming .Net operating environment. Although Microsoft's announcement was short on specifics, such as the future availability of SAML-enabled .Net security features, the company deserves commendation for this important move toward support for a standard that most of the Web services security industry has long since embraced.

SAML 1.0 is fast becoming the dominant industry standard for federating diverse security environments in support of multidomain Web single sign-on (SSO), role-based access control (RBAC) and other interoperability scenarios. Microsoft's announcement was just one of several events at Burton Group's Catalyst 2002 North America that showed SAML 1.0 has considerable industry momentum and support. At the conference, the Liberty Alliance industry consortium released its Phase One specifications, which it has developed as extensions to the core SAML 1.0 standard. Many Web access management vendors announced their own plans to ship SAML 1.0-enabled products in the next several months.

Microsoft's decision to support SAML showed that even this powerful vendor can't long resist market forces that have been calling for vendors to converge around common Web security standards. Microsoft presented a compelling vision of federated .Net security environments that incorporate, in addition to SAML 1.0, such specifications as Kerberos, Passport, Web Services Security (WS-Security), TrustBridge, X.509 public-key certificates and Extensible Rights Markup Language access-control licenses. SAML 1.0, in Microsoft's grand scheme, will be used primarily as an XML syntax for describing authentication and authorization "assertion" data structures to be interchanged between .Net and other operating and security environments.

Unfortunately, Microsoft is up to its usual habit of playing games with open standards. The vendor announced that it won't be implementing major portions of SAML 1.0, including the standard's Simple Object Access Protocol (SOAP) binding, Web browser profiles or request/response messaging protocol. Instead of placing SAML assertions in the payload of SOAP messages (in compliance with SAML 1.0), Microsoft will place them in the SOAP header, alongside Kerberos tickets and other claims, in conformance with the Microsoft co-developed WS-Security specification.

We should regard Microsoft's federated security architecture as offering just token support for SAML 1.0. It's not clear how, if at all, Microsoft's SAML implementation will interoperate with other vendors' Web services security products. Microsoft won't implement even the minimal set of SAML 1.0 features that would have been necessary for it to participate in the industry demonstration at this year's Catalyst. The vendor's SAML discussion at Catalyst revolved primarily around the standard's role in facilitating federation over the Internet between .Net-based Kerberos domains that implement WS-Security and TrustBridge. Microsoft's single-vendor federation scenario has little in common with the multivendor SSO/RBAC interoperability demonstrated elsewhere at Catalyst. It's purely Microsoft-centric.

Microsoft's business model in the enterprise software market has long revolved around implementing whatever blend of proprietary and open standards can secure market share most quickly in whatever product niche it has targeted. WS-Security is a specification with great promise, and it includes features that will likely be adopted in future versions of the SAML standard, but it is not yet supported in the SAML 1.0-enabled products that other vendors will be releasing soon.

It's disappointing to see Microsoft take this quasi-proprietary tack with SAML 1.0. Let's hope the folks in Redmond realize soon that inadequate, half-hearted SAML support will only make it more difficult for their customers to implement federated, multivendor security environments.


Kobielus is an Alexandria, Va.-based analyst with The Burton Group, an IT advisory service that provides in-depth technology analysis for network planners. He can be reached at (703) 924-6224 or

SAML definition

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.