Several draft documents covering the Security Assertion Markup Language (SAML) are now available for public review. SAML is being developed within the OASIS XML-Based Security Services Technical Committee (SSTC) as an "XML security standard for exchanging authentication and authorization information." The documents are under active revision, but provide a snapshot of the committee's design work. A draft 'SAML Specification' prepared for use at FTF3 contains material on the SAML domain model (description of the SAML problem space), a glossary, SAML core assertions, alternate assertion model, protocol models, and conformance. A version 0.9 draft of Security Assertions Markup Language: Core Assertion Architecture provides the text proposed by the Core Assertions and Protocol group for the Core Assertions section of the SAML. SAML "specifies several different types of assertion for different purposes; these are: (1) Authentication Assertion: An authentication assertion asserts that the issuer has authenticated the specified subject. (2) Attribute Assertion: An attribute assertion asserts that the specified subject has the specified attribute(s). Attributes may be specified by means of a URI or through an extension schema that defines structured attributes. (3) Decision Assertion: A decision assertion reports the result of the specified authorization request. (4) Authorization Assertion: An authorization assertion asserts that a subject has been granted specific permissions to access one or more resources."
SSTC Charter: "The purpose of the XML-Based Security Services TC (SSTC) is to define an XML framework for exchanging authentication and authorization information. The TC will produce set of one or more Committee Specifications that cover use cases and requirements, core assertions, protocols, bindings, and a conformance suite, all of the aforementioned to be examined with respect to security considerations. The work will take the S2ML specification and the intended submission of AuthXML, along with any other relevant and timely submissions, into consideration. The goal (subject to revision) is to publish a substantially complete set of Committee Specifications by 1 June 2001, and submit a Committee Specification to the OASIS membership for its approval by 1 September 2001... The TC has agreed to call its specification Security Assertion Markup Language (SAML, pronounced 'sam-l').
Principal references:
- XML-Based Security Services Technical Committee
- SAML document archive. See this listing for the most recent document version URLs.
- "Security Assertion Markup Language (SAML)" - Main reference page. See the document listing with titles/dates.