QuickStudy: Security Assertions Markup Language (SAML)

Computerworld - You need to travel to Seattle on business, so you go to your favorite airline's Web site, log in with your user name and password, enter your authentication information and book your reservation.

Then you remember you're going to need a car, so you surf to the auto rental site, log in again with a different user name and password, and reserve your car. Then you head to the hotel's Web site, log in with yet another user name and password, and book your room.

If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners.

OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards.

Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called "assertions," between business partners over the Internet.

OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification.

SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example.

SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges.

SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection.

The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures.

Inside the Spec

SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol and several XML frameworks, including the Simple Object Access Protocol (SOAP) and e-business XML.

It provides a standard way to define user authentication, authorization and attribute information in XML documents.

The main components of SAML include the following:

• Assertions: SAML defines three kinds of assertions, which are declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).

• Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. In the future, the SAML request and response format will bind to other communications and transport protocols.

• Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.

• Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.

While SAML makes assertions about credentials, it doesn't actually authenticate or authorize users. That's done by an authentication server in conjunction with the Lightweight Directory Access Protocol directory. SAML does link back to the actual authentication and makes its assertion based on the results of that event.

Vendors supporting SAML include RSA Security Inc., Netegrity Inc., Oblix Inc., Baltimore Technologies PLC, CrossLogix Inc., Novell Inc., Sun Microsystems Inc. and IBM's Tivoli Systems. Microsoft Corp. says it will support SAML in its .Net Server operating system. The Liberty Alliance Project, a group of vendors and corporate users developing an open specification for creating a federated single sign-on standard, also backs SAML.

Making Security Assertions The user wants to buy supplies from Office Barn. The parties don’t know each other, but both have a common authentication/attribute authority they trust. The buyer communicates with a trusted authority, known as a policy enforcement point, via SAML over HTTP. The authority returns assertions that the buyer is logged in (authentication) and has a corporate limit of $500 (attribute). The buyer then attaches this information to a purchase order and forwards it to Office Barn. The entire process may be transparent to the buyer. Source: OASIS

See additional Computerworld QuickStudies