This Week in NW
SAML promises Web services security
Security Assertion Markup Language 1.0 is a new proposed standard for interoperability among Web services security products. As corporations increasingly deploy access management solutions and other security products in Web services environments, SAML 1.0 has the potential to be a critical interoperability standard for securing these online environments from end to end, both within organizations and from business to business.
SAML 1.0, nearing ratification by the Organization for the Advancement of Structured Information Standards, works with XML and Simple Object Access Protocol (SOAP).
SAML 1.0 defines SOAP-based interactions among security and policy domains, supporting Web single sign-on (SSO), authentication and authorization. The standard defines request and response "assertion" messages that security domains exchange to vouch for authentication decisions, authorization decisions, and attributes that pertain to named users and resources.
SAML 1.0 also defines functional entities such as authentication authorities, attribute authorities, policy decision points and policy enforcement points.
In a SAML-enabled Web SSO scenario, users log on to their home or "source" domains through authentication techniques such as ID/password. The source domain communicates this authentication decision, plus other information that provides a security context for that decision, to one or more affiliated or federated destination domains through messages that contain SAML "authentication assertions" and "attribute assertions."
The SAML scenario
In the most basic SAML 1.0 interoperability scenario supporting Web SSO, the browser/artifact profile, a user interacts with SAML-enabled Web sites as follows:
While it continues to gain marketplace traction, SAML 1.0 is still a new specification whose long-term viability remains unproven. The true test of SAML 1.0, as of any standard, will be in how well the market accepts the proposed standard and enables development of Web services through products that support it. Web security solution vendors are hard at work ironing out the myriad technical details necessary to support interoperability among their diverse SAML 1.0 implementations.
Kobielus is senior analyst at The Burton Group and a Network World columnist. He can be reached at email@example.com
SAML gains steam
Top Web services worry: Security
Above the Cloud