SAML Version 2.0 Becomes an OASIS Standard
Members Approve Security Assertion Markup Language (SAML) v2.0 as OASIS Standard
AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, Sun Microsystems, and Others Advance Standard for Single Sign-On
Boston, MA, USA. March 14, 2005.
OASIS, the international e-business standards consortium, today announced that its members have approved the Security Assertion Markup Language (SAML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SAML v2.0 enables the secure exchange of authentication, attribute, and authorization information between disparate security domains, making vendor-independent Web single sign-on and secure e-business transactions possible. Version 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information.
"Prior to SAML, there was no XML-based standard that enabled the exchange of security information between a security system and an application," said John Pescatore, analyst at Gartner, Inc. "SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it also specifies a Web services-based request/reply protocol for exchanging these statements."
"The number of digital identities in today's world is exploding and business partners need better ways to federate and manage those identities in order to control access to their resources in the face of growing regulatory and compliance requirements," noted Rob Philpott of RSA Security, co-chair of the OASIS Security Services Technical Committee. "SAML v2.0 is the convergence point for the major identity federation initiatives deployed in the industry today; that is, SAML v1.x, Liberty ID-FF, and the Internet2's Shibboleth effort. With the release of SAML v2.0, the industry now has a very robust, proven foundation upon which to build identity-based solutions that meet those requirements."
SAML leverages core Web services standards including XML, SOAP, Transport Layer Security (TLS), XML Signature (XMLSIG), and XML Encryption (XMLENC).
"SAML v2.0 builds on the success of SAML v1.1 by providing a full-featured foundation for identity federation on the Internet," explained Prateek Mishra of Principal Identity, co-chair of the OASIS Security Services Technical Committee. "Some of its features fill in important 'gaps' observed in practical deployments: for example, the attribute profiles and metadata specification simplify agreement between businesses participating in a federation. Other features such as encryption, pseudonyms and user consent enable confidentiality and privacy of information about users."
"SAML v2.0 has the benefit of real implementations in a variety of industries to help the market drive adoption," stated Patrick Gannon, president and CEO of OASIS. "Major technology vendors are already shipping identity management products and appliances built on SAML, and governments are incorporating it into their architectures. Many other key XML standards already have defined clear profiles for working with this flexible and extensible OASIS Standard for the federated model of identity management."
Over 27 member organizations globally participate in this ongoing work, including representatives of AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, and Sun Microsystems. Participation remains open to all, and suppliers, end-users, and systems integrators are invited to join OASIS to advance the continued development and adoption of SAML. OASIS hosts an open mail list for public comment and the saml-dev mailing list for exchanging information on implementing the standard.
Industry Support for SAML 2.0 OASIS Standard
"In a relatively short time, SAML has become one of the most widely accepted standards for exchanging authorization data in Federated Identity environments. SAML 2.0 reflects this broad support in the number of organizations and individuals who contributed new features to it. BEA looks forward to increasing our support for SAML in future product offerings," said Hal Lockhart, Principal Engineering Technologist, BEA Systems.
"SAML 2.0 will be the keystone that enables many other elements of XML trust infrastructure to interoperate. For example, the upcoming XRI 2.0 specifications from the OASIS XRI (Extensible Resource Identifier) Technical Committee uses SAML 2.0 assertions to provide trusted XRI resolution services. The OASIS XDI (XRI Data Interchange) Technical Committee also plans to foster trusted data interchange relationships using SAML 2.0," said Drummond Reed, CTO Cordance Corporation, co-chair, OASIS XRI and XDI Technical Committees.
"SAML is fast becoming the dominant Web services standard for federating 'identity as a service', and promises to break the traditional lock between Web SSO 'shim' and server. The 2.0 version of SAML and the very successful 12-vendor OASIS SAML Interop lab at the RSA Conference are further proof of SAML's maturity," said Eugene Kuznetsov, CTO and Chairman of DataPower.
"Nokia has long recognized the importance of security and identity management to Web services and is pleased to see SAML v2.0 reach standardization," said Frederick Hirsch, Senior Architect at Nokia. "SAML v2.0 will do much to reduce market confusion and to drive adoption of federated identity technology, converging Liberty Alliance Federation Framework, SAML v1.1, and Shibboleth technologies. Achieving SAML v2.0 standardization is a major accomplishment in an important area."
"SAML has rapidly been established as the accepted mechanism for making authoritative electronic assertions about user authentication and identity information. Reactivity supports the enhancements in SAML v2.0 that build on that success to provide a comprehensive framework for federating identities, controlling user sessions and identifying web transactions," said Andrew Nash, CTO of Reactivity.
"By accepting SAML v2.0 as an OASIS Standard, the technology industry has demonstrated its commitment to delivering open, interoperable solutions that enable companies to leverage the benefits of seamless identity federation," said Jason Lewis, vice president of product marketing and management at RSA Security. "RSA Security is proud to have contributed to the development of SAML, and we look forward to continuing to support initiatives which provide the greatest flexibility and choice to our customers."
"Sun continues to drive identity management and Web services standards both through our participation with organizations, such as OASIS and the Liberty Alliance, as well as providing full support of the latest industry standards within our products," said Sara Gates, vice president identity management, Sun Microsystems, Inc. "Sun is proud to have been a supporter of SAML from its inception, and we are excited to see it approved by the members of the OASIS Security Services Technical Committee as an OASIS Standard."
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 4,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include AVDL, CAP, DocBook, DSML, ebXML, SAML, SPML, UBL, UDDI, WSDM, WS-Reliability, WSRP, WSS, XACML, and XCBF.
OASIS Security Services Technical Committee
Cover Pages Technology Report: SAML
Prepared by Robin Cover for The XML Cover Pages archive. See details in the news story "Security Assertion Markup Language (SAML) V2.0 Approved as OASIS Standard." General references in "Security Assertion Markup Language (SAML)."