SAML 2.0 Security Gets Test, Preps for Vote

SAML 2.0, the key upgrade to a core web services security markup language, passed two key hurdles last week. First, SAML 2.0 passed an interop test to exchange authentication, attribute and authorization info with other major security specs. Second, a draft SAML 2.0 spec is ready for the vote. Get the details.

Tags: SAML, Federated Identity, Security, Standards, Interoperability, OASIS, Identity Management,

The pending adoption of SAML 2.0, to a key upgrade to a core web services security markup language, passed two key hurdles its latest test on its road to becoming a standard.

First, more than a dozen vendors, including Computer Associates, Entrust, HP, Oracle, Sun and RSA all joined in a successful test of SAML 2.0's ability to exchange authentication, attribute and authorization information between different security systems.

Second, the OASIS Security Services technical committee has approved the latest version of the SAML 2.0 spec and schemas as formal "committee drafts," and submitted them to OASIS for balloting - including the core spec, bindings, profiles, metadata and authentication context classes.

IT vendors teamed with the U.S. General Service Administration (GSA) E-Gov E-Authentication Initiative to demonstrate interoperability of the Security Assertion Markup Language (SAML) 2.0, a security specification developed by the OASIS standards consortium. SAML enables secure exchange of authentication, attribute, and authorization information between disparate security domains, making secure Internet e-business transactions possible.

The tests, conducted under the auspices of OASISs Federated Identity InterOp Lab, focused on demonstrating SAML 2.0's ability to interoperate across a number of different web single sign-on, and single logout scenarios, including SAML 1.x, Liberty Alliance and Shibboleth. The tests were conducted as part of the U.S. government's E-Authentication Initiative.

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence, and adoption of e-business standards. OASIS has more than 4,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include AVDL, CAP, DocBook, DSML, ebXML, SAML, SPML, UBL, UDDI, WS-Reliability, WSRP, WSS, XACML, and XCBF.

GSA's Program Executive Stephen Timchak, offered an upbeat assessment of the test result. "The E-Authentication Initiative is committed to helping drive the evolution of federated identity management, and that's why we are excited to sponsor the OASIS Federated Identity InterOp on SAML 2.0," Timchat said in a statement. "[W]e look forward to being enthusiastic adopters of SAML 2.0 when it qualifies for inclusion in the E-Authentication architecture."

An analyst from the Burton Group was also pleased with the test. "This OASIS InterOp demonstration offers an important proof-of-concept for…SAML 2.0, [which] can provide a logical convergence point for new products and deployments in the coming months ." said Dan Blum, Burton's Senior Vice President and Research Director.

Vendors Collaborate on SAML Interoperability
Participating vendors in SAML 2.0 gave the following statements after the successful tests:

  • Computer Associates -- "As one of the co-founders of the SAML specification, CA is delighted to see SAML 2.0's latest enhancements which will enable our diverse customer base to further extend their federation initiatives and realize the full business benefits of standards-based identity management." -- Marc Chanliau, eTrust product manager at Computer Associates.

  • DataPower -- "Because organizations cannot possibly agree on a single vendor solution for identity, traditional, proprietary SSO is impractical for federated identity across extranets and Web services. By validating complete SAML interoperability of DataPower's XS40 XML Security Gateway, we ensure that our customers are getting an open, standards-based solution for federated identity" -- " said Eugene Kuznetsov, CTO founder of DataPower.

  • Entrust -- "OASIS SAML 2.0 represents convergence within the SAML standard and signals the widespread acceptance and increasing importance of Federated Identity standards for interoperability between partner domains. Our participation in the OASIS Federated Identity InterOp Lab demonstrates our ongoing support of open standards such as SPML, XACML and SAML." Chris Voice, vice president-technology at Entrust, Inc.

  • Oracle -- "It is evident Web services are rapidly becoming the cornerstone for integration and B2B transactions. SAML 2.0 will further propagate the use of Web services for federated identity management to securely connect customers, partners and employees with the information they need," -- Uppili Srinavasan, senior director of identity management and security products at Oracle

  • RSA Security -- "By embracing SAML.2.0 - a convergence standard that is a cornerstone in the future of identity federation - the technology industry will enable companies to collaborate efficiently and securely, across business boundaries," said Toffer Winslow, director of product management and marketing at RSA Security.

  • Sun Microsystems -- "Sun is proud to have been a supporter of SAML from its inception, and we are pleased to showcase SAML 2.0 interoperability between Sun Java System Access Manager and other vendors products -- Sara Gates, vice president identity management at Sun.