QuickStudy: Security Assertions Markup Language (SAML)
Computerworld - You need to travel to Seattle on business, so you go to your favorite airline's Web site, log in with your user name and password, enter your authentication information and book your reservation.
Then you remember you're going to need a car, so you surf to the auto rental site, log in again with a different user name and password, and reserve your car. Then you head to the hotel's Web site, log in with yet another user name and password, and book your room.
If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners.
OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards.
Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called "assertions," between business partners over the Internet.
OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification.
SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example.
SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges.
SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection.
The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures.
Inside the Spec
SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol and several XML frameworks, including the Simple Object Access Protocol (SOAP) and e-business XML.
It provides a standard way to define user authentication, authorization and attribute information in XML documents.
The main components of SAML include the following:
Assertions: SAML defines three kinds of assertions, which are declarations of one or more facts about a user (human or computer). Authentication assertions require that the user prove his identity. Attribute assertions contain specific details about the user, such as his credit line or citizenship. The authorization decision assertion identifies what the user can do (for example, whether he is authorized to buy a certain item).
Request/response protocol: This defines the way that SAML requests and receives assertions. For example, SAML currently supports SOAP over HTTP. In the future, the SAML request and response format will bind to other communications and transport protocols.
Bindings: This details exactly how SAML requests should map into transport protocols such as SOAP message exchanges over HTTP.
Profiles: These dictate how SAML assertions can be embedded or transported between communicating systems.
While SAML makes assertions about credentials, it doesn't actually authenticate or authorize users. That's done by an authentication server in conjunction with the Lightweight Directory Access Protocol directory. SAML does link back to the actual authentication and makes its assertion based on the results of that event.
Vendors supporting SAML include RSA Security Inc., Netegrity Inc., Oblix Inc., Baltimore Technologies PLC, CrossLogix Inc., Novell Inc., Sun Microsystems Inc. and IBM's Tivoli Systems. Microsoft Corp. says it will support SAML in its .Net Server operating system. The Liberty Alliance Project, a group of vendors and corporate users developing an open specification for creating a federated single sign-on standard, also backs SAML.
Making Security Assertions
The user wants to buy supplies from Office Barn. The parties dont know each other, but both have a common authentication/attribute authority they trust. The buyer communicates with a trusted authority, known as a policy enforcement point, via SAML over HTTP. The authority returns assertions that the buyer is logged in (authentication) and has a corporate limit of $500 (attribute). The buyer then attaches this information to a purchase order and forwards it to Office Barn. The entire process may be transparent to the buyer.
Making Security Assertions
See additional Computerworld QuickStudies
Read more about Applications in Computerworld's Applications Topic Center.
- How Four Citrix Customers Solved the Enterprise Mobility Challenge Managing mobile devices, data and all types of apps-Windows, datacenter, web and native mobile- through a single solution.
- 8 Steps to Fill the Mobile Enterprise Application Gap Traveling executives and Millennials alike expect to communicate, collaborate and access their important work applications and data from anywhere on whatever device they...
- Seattle Children's Accelerates Citrix Login Times by 500% with Cross-Tier Insight Seattle Children's is a leading research hospital with a large and growing Citrix XenDesktop deployment. With ExtraHop, the IT team at Seattle Children's...
- McKesson Makes Application Hosting for Hospitals Faster, More Efficient With ExtraHop, McKesson identified the root cause of slow Citrix XenApp application launches and adopted a more intelligent, proactive IT operations model that...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.