QuickStudy: Security Assertions Markup Language (SAML)
Computerworld - You need to travel to Seattle on business, so you go to your favorite airline's Web site, log in with your user name and password, enter your authentication information and book your reservation.
Then you remember you're going to need a car, so you surf to the auto rental site, log in again with a different user name and password, and reserve your car. Then you head to the hotel's Web site, log in with yet another user name and password, and book your room.
If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners.
OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards.
Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called "assertions," between business partners over the Internet.
OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification.
SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example.
SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges.
SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection.
The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures.
Inside the Spec
SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol and several XML frameworks, including the Simple Object Access Protocol (SOAP) and e-business XML.
It provides a standard way to define user authentication, authorization and attribute information in XML documents.
The main components of SAML include the following:
Assertions: SAML defines three kinds of assertions, which are declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).
Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. In the future, the SAML request and response format will bind to other communications and transport protocols.
Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.
Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.
While SAML makes assertions about credentials, it doesn't actually authenticate or authorize users. That's done by an authentication server in conjunction with the Lightweight Directory Access Protocol directory. SAML does link back to the actual authentication and makes its assertion based on the results of that event.
Vendors supporting SAML include RSA Security Inc., Netegrity Inc., Oblix Inc., Baltimore Technologies PLC, CrossLogix Inc., Novell Inc., Sun Microsystems Inc. and IBM's Tivoli Systems. Microsoft Corp. says it will support SAML in its .Net Server operating system. The Liberty Alliance Project, a group of vendors and corporate users developing an open specification for creating a federated single sign-on standard, also backs SAML.
Making Security Assertions
The user wants to buy supplies from Office Barn. The parties dont know each other, but both have a common authentication/attribute authority they trust. The buyer communicates with a trusted authority, known as a policy enforcement point, via SAML over HTTP. The authority returns assertions that the buyer is logged in (authentication) and has a corporate limit of $500 (attribute). The buyer then attaches this information to a purchase order and forwards it to Office Barn. The entire process may be transparent to the buyer.
Making Security Assertions
See additional Computerworld QuickStudies
Read more about Applications in Computerworld's Applications Topic Center.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- Increase IT Performance from the Enterprise to the Cloud with WAN Optimization Massive consolidation and data mobility, enabled by virtualization, have radically altered how we build servers, design applications, and deploy storage for the emerging...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- Video Stream Quality Impacts Viewer Behavior This scientific white paper, using statistical data from Amakai's streaming network, analyzes how changes in video quality cause changes in viewer behavior.
- Service-Enabling CICS Applications: Best Practices This informative webcast provides an informed, thorough look into CICS service-enablement options and how they can affect your environment. You'll learn how to...