Security standard gains OASIS approval

The Organization for the Advancement of Structured Information Standards on Wednesday formally approved a standard security protocol that is likely to become the building block for integrating corporate user access control systems over the Internet.

The protocol also is seen as a cornerstone for building a security infrastructure to support emerging Web services.

After nearly two years of work, OASIS stamped the Security Assertion Markup Language 1.0 as an official Open Standard, the group’s highest level of ratification.

SAML 1.0 is an XML-based framework for exchanging authentication and authorization credentials over the Web. The protocol incorporates other XML-based standard protocols, including XML Signature, XML Encryption, and the Simple Object Access Protocol (SOAP).

SAML promises to give corporations a way to tie together disparate security systems internally and with business partners. It would allow users to obtain a SAML “assertion” containing user identity and access controls from one site and use it to gain access to other sites that support the SAML specification.

“SAML is perfect for single sign-on in browser-based environments and for [business-to-business] server interaction when live users are not involved,” says Marc Chanliau, the senior product manager for XML technologies at Netegrity who helped develop the protocol. Netegrity has two SAML-compliant products, SiteMinder and Transaction Minder.

Netegrity is one of a handful of vendors with products that support SAML, including Baltimore Technologies, Crosslogix, Entegrity Solutions, ePeople, Novell, OverXeer, Oblix, RSA Security, Sigaba, Sun Microsystems and Tivoli Systems.

The Liberty Alliance, which in July released a specification for creating standard network identities, also has embraced SAML as the core of its initial specification.

Further, SAML is being used as part of the WS-Security specification for securing Web services. That specification was developed by IBM, Microsoft and VeriSign, and the three turned it over to OASIS in June.

WS-Security outlines how to integrate disparate security credentials – such as Kerberos, Public Key Infrastructure and SAML – using a set of extensions to SOAP. WS-Security will allow Web services to pass secure and signed messages, a process that today requires a patchwork of proprietary technologies.

SAML and WS-Security are part of a group of protocols under development at OASIS that address security and Web services. The others are XML Access Control Markup Language, Rights Language, Service Provisioning Markup Language, XML Common Biometric Format and the Digital Signature Services protocol.

Earlier this week, Public Key Infrastructure was added to that list when the PKI Forum was folded into OASIS. The Forum will continue to advance the use of PKI as a foundation for secure transactions in e-business and Web services applications.