NOSes /

What SAML ratification means to directories

By Dave Kearns
Network World Directories Newsletter, 11/11/02

OASIS, the Organization for the Advancement of Structured Information Standards, has just fully ratified Version 1.0 of the Security Assertion Markup Language (SAML).

I talked about this standard last July ( " All in agreement " , www.nwfusion.com/newsletters/dir/2002/01485965.html ) after seeing a demonstration of interoperability from a dozen different vendors. While SAML isn't a necessary component of directory interoperability, it nevertheless requires identity information – most of which resides in directories – to be shared between and among disparate entities. That's not to say that directory information is passed across the wire, but that authentication and authorization can be done across the wire.

SAML uses a subset of the XML data description language to provide a Web-based service to cooperating organizations allowing users who have authenticated to one site to be also authenticated to cooperating sites. As such, SAML forms the basis for the Liberty Alliance's specification for federated identity management.

SAML, by itself, is just a data description language. It's analogous to SQL, the Structured Query Language used to manipulate data in relational databases (RDBMS). But without a database, SQL isn't much use. So to, SAML without directories is merely an academic exercise. With the communication language being standardized, the basis of judging different implementations of federated identity management will come down to the data store itself – the directory, the metadirectory or the database that each vendor chooses to hold the identity information.

Directories have a decided edge in performance, because they're optimized for reads. But there are a lot more people in the world who consider the RDBMS as the only place to hold important corporate data. There's going to be another round of fights and squabbles - mostly territorial – as database administrators and directory managers square off for control of the identity management turf.

High-level corporate execs will only look at the Liberty Alliance spec. Mid-level execs will review the SAML spec that Liberty is based on. It's up to the operational people – the directory managers and administrators – to ensure that the best technology (i.e., directory services) is used to implement these new specifications.

I'll be watching the marketing hoopla that results from the release of SAML 1.0 as well as the upcoming (early next year) release of Version 2 of the Liberty Alliance spec and will alert you to any FUD that's being thrown around concerning directories. And there will be FUD. Just remember – make it your mantra – that all directories are databases but not all databases can be directories.