XML-based security protocol wins key approval from OASIS

An XML-based protocol that is destined to become the building block for corporate user-access security products was approved last week by the Organization for the Advancement of Structured Information Standards.

An XML-based protocol that is destined to become the building block for corporate user-access security products was approved last week by the Organization for the Advancement of Structured Information Standards.

OASIS stamped Security Assertion Markup Language (SAML) 1.0 as an Open Standard, the group’s highest level of ratification. SAML 1.0 is an XML-based framework for exchanging authentication and authorization credentials over the Web. The protocol incorporates other standard protocols, including XML Signature, XML Encryption and Simple Object Access Protocol (SOAP).

SAML promises to give corporations a way to link disparate security systems internally and with business partners. It would let users obtain a SAML “assertion” containing user identity and access controls from one site and use it to gain access to other sites that support the specification.

But more important, it will become the foundation for security services, including a key to building a security infrastructure to support Web services.

“SAML is becoming the consensus standard for network security, identity management, single sign-on and role-based access control,” says James Kobielus, an analyst with Burton Group and a Network World columnist. “It is one of the fundamental specs for Web services security. The same way basic XML was fundamental to developing Web services, most Web services security protocols from here on in will leverage or extend SAML.”

Support for SAML in products is already coming from vendors such as Baltimore Technologies, Crosslogix, Entegrity Solutions, ePeople, Netegrity, Novell, Oblix, OverXeer, RSA Security, Sigaba, Sun and Tivoli Systems.

The Liberty Alliance, which published a specification in July for creating standard network identities, has embraced SAML.

SAML also is being used as part of the WS-Security specification for securing Web services. The specification, developed by IBM, Microsoft and VeriSign, was given to OASIS in June. WS-Security outlines how to integrate disparate security credentials such as Kerberos, public-key infrastructure and SAML, using a set of extensions to SOAP. WS-Security will let Web services pass secure and signed messages.

Work already is under way to build on the 1.0 specification.

Marc Chanliau, senior product manager for XML technologies for Netegrity, who helped develop the protocol, says Version 2.0 will add features for creating sessions that foster secure transactions.

“Today, SAML doesn’t tell you when someone logs out,” Chanliau says. The session feature will create a single sign-out technology, he says.

“When a user doesn’t sign out, you are left with a dangling transaction, and that is not secure,” Chanliau says.

He says he expects the Liberty Alliance to develop extensions to SAML, especially identity attributes that can be used to control a user’s access and actions. For example, an attribute might describe a user as a purchasing agent with rights to buy up to $10,000 worth of goods.

“Authorization attributes can be used with rules to control what users can do,” Chanliau says. “SAML can make authorization decisions on the fly using those attributes.”