QuickStudy: Security Assertions Markup Language (SAML)
Computerworld - You need to travel to Seattle on business, so you go to your favorite airline's Web site, log in with your user name and password, enter your authentication information and book your reservation.
Then you remember you're going to need a car, so you surf to the auto rental site, log in again with a different user name and password, and reserve your car. Then you head to the hotel's Web site, log in with yet another user name and password, and book your room.
If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners.
OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards.
Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called "assertions," between business partners over the Internet.
OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification.
SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example.
SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges.
SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection.
The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures.
Inside the Spec
SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol and several XML frameworks, including the Simple Object Access Protocol (SOAP) and e-business XML.
It provides a standard way to define user authentication, authorization and attribute information in XML documents.
The main components of SAML include the following:
Assertions: SAML defines three kinds of assertions, which are declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).
Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. In the future, the SAML request and response format will bind to other communications and transport protocols.
Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.
Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.
While SAML makes assertions about credentials, it doesn't actually authenticate or authorize users. That's done by an authentication server in conjunction with the Lightweight Directory Access Protocol directory. SAML does link back to the actual authentication and makes its assertion based on the results of that event.
Vendors supporting SAML include RSA Security Inc., Netegrity Inc., Oblix Inc., Baltimore Technologies PLC, CrossLogix Inc., Novell Inc., Sun Microsystems Inc. and IBM's Tivoli Systems. Microsoft Corp. says it will support SAML in its .Net Server operating system. The Liberty Alliance Project, a group of vendors and corporate users developing an open specification for creating a federated single sign-on standard, also backs SAML.
Making Security Assertions
The user wants to buy supplies from Office Barn. The parties dont know each other, but both have a common authentication/attribute authority they trust. The buyer communicates with a trusted authority, known as a policy enforcement point, via SAML over HTTP. The authority returns assertions that the buyer is logged in (authentication) and has a corporate limit of $500 (attribute). The buyer then attaches this information to a purchase order and forwards it to Office Barn. The entire process may be transparent to the buyer.
Making Security Assertions
See additional Computerworld QuickStudies
Read more about Applications in Computerworld's Applications Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...