Contents

• Summary
• Liberty Alliance ID-WSF 2.0 Specifications Overview
• From the Liberty Alliance Announcement
• About SAML Version 2.0
• Principal References

The Liberty Alliance has announced a public draft release of its Identity Web Services Framework (ID-WSF) Version 2.0 in a Phase One distribution that supports the OASIS SAML (Security Assertion Markup Language) Committee Draft 2.0 release.

Liberty Alliance is global consortium of "more than 150 companies, non-profit and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices."

Liberty's ID-WSF 2.0 is a second-generation framework for identity-based Web services which "has been extended to include support for SAML 2.0, specifically defining how SAML 2.0 assertions can be used to communicate identity information among identity-based Web services." The ID-WSF 2.0 release is "part of a Liberty Alliance roadmap for WSF 2.0 specifications that are being released in phases to accommodate rapid industry deployment. The first phase is focused on SAML 2.0 support. The second and third phase, which are expected to be completed in full by the end of 2005, include several significant new features, designed to give implementers even greater depth of functionality including the capability to leverage custom Web services, as well as those being developed in the services groups within Liberty Alliance.

The Liberty announcement highlights four enhancements in the Identity Web Services Framework which reflect respose to user requirements and contributed use cases. ID-WSF 2.0 support for Subscription/Notification "permits Web service consumers to subscribe to automatic notices of changes from the Web services provider, automating the process and delivering benefit of ease and control to the end users." Enhancements for Groups offers support for those scenarios in which membership in a group (e.g., a soccer team, senior managers, etc ... ) drives/impacts the consumers' online interactions, allowing implementers to deliver enhanced services to end users."

The ID-WSF 2.0 release enhances Principal Referencing, which "Allows users to create and maintain a list of those friends/colleagues with whom they wish to interact online (e.g., viewing photos, finding the location, sharing contact book info, etc), opening up significant new opportunities to personalize services and allow end users to easily customize their Web experience. It also now supports Intelligent Client, which "Defines/profiles identity management mechanisms where the user device has enhanced capabilities, available if the device is on or offline, allowing Web services across a variety of devices and interoperability across systems, expanding the opportunity for additional types of strong authentication mechanisms, smart cards, SIM devices, etc."

SAML Version 2.0 is now being reviewed in preparation for a mid-February ballot to consider the specification for approval as an OASIS Standard. SAML "defines the syntax and processing semantics of assertions made about a subject by a system entity. In the course of making, or relying upon such assertions, SAML system entities may use other protocols to communicate either regarding an assertion itself, or the subject of an assertion. This specification defines both the structure of SAML assertions, and an associated set of protocols, in addition to the processing rules involved in managing a SAML system."

SAML assertions and protocol messages "are encoded in XML and use XML namespaces. They are typically embedded in other structures for transport, such as HTTP POST requests or XML-encoded SOAP messages. The SAML bindings specification provides frameworks for the embedding and transport of SAML protocol messages. The SAML profiles specification provides a baseline set of profiles for the use of SAML assertions and protocols to accomplish specific use cases or achieve interoperability when using SAML features."

Liberty Alliance ID-WSF 2.0 Specifications Overview

• Liberty ID-WSF Security & Privacy Overview. Provides an overview of the security and privacy issues in ID-WSF technology and briefly explains potential security and privacy ramifications of the technology used in ID-WSF. It is assumed that the audience is familiar with the Liberty Identity Federation Framework.
• Liberty ID-WSF Discovery Service Specification. Describes protocols and schema for the description and discovery of ID-WSF identity services. With XSD Schema.
• Liberty ID-WSF SOAP Binding Specification. Defines the Liberty Identity Web Services Framework (ID-WSF) SOAP binding. It specifies simple SOAP message correlation, consent claims, and usage directives. With XSD Schema.
• Liberty ID-WSF Security Mechanisms Specification. Specifies security mechanisms that protect identity services. With XSD Schema.
• Liberty ID-WSF Interaction Service Specification. Specifies an identity service that allows providers to pose simple questions to a Principal. With (1) The XSL document for HTML that accompanies the Liberty ID-WSF Interaction Service Specification; (2) The XSD Schema that accompanies the Liberty ID-WSF Interaction Service Specification; (3) The XSL document for WML that accompanies the Liberty ID-WSF Interaction Service Specification.
• Liberty ID-WSF Data Services Template Specification. Provides protocols for the querying and modifying of data attributes when implementing a data service using the Liberty Identity Web Services Framework (ID-WSF). With The XSD Schema that accompanies the Liberty ID-WSF Data Services Template Specification and The XSD Data Template Schema that accompanies the Liberty ID-WSF Data Services Template Specification.
• Liberty ID-WSF Architecture Overview. This primer is a non-normative document intended to provide an overview of the relevant features of the Liberty ID-WSF Specifications.
• Liberty ID-WSF Client Profiles Specification. Specifies profiles for some cases where a client performs an active role in such transactions, other than performing the functions of a standard browser.
• Liberty ID-WSF Authentication Service Specification. Defines a SASL-based ID-WSF Authentication Protocol, along with an ID-WSF Authentication Service and ID-WSF Single Sign-On Service, based on the Authentication Protocol. With XSD schema.
• Liberty ID-WSF Draft Guidelines. A non-normative summary description of the Liberty ID-WSF architecture, including examples, lessons learned, and best practices.

From the Liberty Alliance Announcement

The publicly available framework has been extended to include support for SAML 2.0, specifically defining how SAML 2.0 assertions can be used to communicate identity information among identity-based Web services. Today's news reflects the ongoing cooperation Liberty Alliance maintains with OASIS and other global standards organizations, integrating recognized open standards into Liberty specifications and helping to drive convergence of identity specifications. As developers increasingly migrate to SAML 2.0, they can now, or at any time in the future, implement ID-WSF specifications to more easily and securely manage interoperable identity-based Web services.

"Successful identity management has become a critical factor in application development and the necessary foundation for deploying all Web services," said George Goodman, president of Liberty Alliance's management board and director of Intel's Visualization and Trust Lab. "These specifications provide a blueprint for driving convergence between federated identity and Web services specifications, a necessary step to complete interoperability."

Gerry Gebel, senior analyst with Burton Group, added, "SAML 2.0 is a significant convergence point in the evolution of federation standards. It's important that vendors and other organizations involved in the standards development process provide a clear roadmap to support this latest version of SAML."

Today's news is part of a Liberty Alliance roadmap for WSF 2.0 specifications that are being released in phases to accommodate rapid industry deployment. The first phase is focused on SAML 2.0 support. The second and third phase, which are expected to be completed in full by the end of 2005, include several significant new features, designed to give implementers even greater depth of functionality including the capability to leverage custom Web services, as well as those being developed in the services groups within Liberty Alliance.

The Web services specification, first introduced in April 2003, is already in use at many organizations across the globe. The first interoperability compliance testing on the specification was completed in October 2004, at which time several companies illustrated support and compliance, including Hewlett-Packard, Nokia, Novell, NTT, Sun Microsystems, and Trustgenix.

According to the 2004 Enterprise Web Services Survey by The Yankee Group, Web services adoption is still early in its lifecycle. Although 48 percent of the companies surveyed have already deployed Web services, 39 percent say they will be deploying Web services sometime within the next 12 months. For the majority of these Web services, identity will play a critical role. Liberty's architecture provides a standardized identity layer on which such services can be built, assuring interoperability and flexibility for implementers, both inside and outside of corporate boundaries, as well as ease-of-use and a rich range of options for end users.

"Federation is the organizing principle for Web services and the market clearly understands that relationship," said Goodman. "By driving the leading specifications in both federation, with our work with OASIS, and Web services, Liberty is once again demonstrating its vision and authority within the identity marketplace, and showing commitment to focusing on convergence whenever and wherever possible."

Liberty Alliance is an alliance of more than 150 companies, non-profit and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information in today's digital economy, and is a key component in driving the use of e-commerce, personalized data services, as well as Web-based services...

Member Quotes

"As the world leader in identity and access management software solutions, CA supports the Liberty ID-WSF specification. This standards support — which already includes SAML 1.0, 1.1, 2.0, Liberty ID-FF 1.1, 1.2, UDDI, WS-S and SPML 1.0 — will enable CA customers to flexibly create, publish, discover and consume identity-based services in support of both their internal and federated business requirements."
      —Gavenraj Sodhi, Product Manager for eTrust Security Management, Computer Associates

"HP has long been committed to supporting and driving open standards including the recent work with the Liberty Alliance for ID-WSF version 2.0. The HP OpenView Identity Management solutions with SAML, Liberty ID-FF and Liberty ID-WSF support underscore HP's commitment to helping customers with solutions based on open standards, interoperability and ease of integration."
      —Todd DeLaughter, Vice President and General Manager, Management Software Business, Hewlett-Packard

"The release of the Identity Web Services Framework specifications from the Liberty Alliance yet again shows the ability of the organization to translate real business problems into well-defined open specifications. Nokia is a committed participant in Liberty Alliance, and Nokia's implementation of ID-WSF in smart phone devices is proof of this commitment. We welcome Liberty Alliance's ambition to drive convergence of both Federated Identity and Web services specifications. By addressing other open specifications, such as SAML and WSS, Liberty Alliance does a good job in reducing uncertainty in the marketplace."
      —Mikko Terho, Vice President, Strategic Architecture, Nokia

"Sun is heavily invested in the ID-WSF 2.0 specification because it hits a sweetspot for defining highly-secure, identity-based Web services that conforms to the WS-I Basic Profile and the Java enterprise platform. Providing personalized services without compromising individual privacy is critical, and with this ability, Sun's Java Enterprise System will enable companies to easily and cost effectively do business with trusted partners and customers while maintaining the highest level of security and control over identity information."
      —Joe Keller, vice president of marketing, Advanced Development Platforms, Sun Microsystems Inc.

"As long time members of the Liberty Alliance we have actively contributed to the development and evolution of the ID-WSF specifications, and produced a leading implementation that is in-use today by several customers. By adding the ability to leverage the SAML 2.0 protocol for single sign-on, ID-WSF version 2.0 has emerged as the leading standard for adding identity federation to Web services that span multiple domains."
      —Greg Whitehead, CTO, Trustgenix

About SAML Version 2.0

On February 1, 2005 OASIS announced that the OASIS Security Services Technical Committee (SSTC) had approved SAML V2.0 specifications and schemas as rev-04 Committee Drafts and had submitted them to OASIS for balloting in pursuit of OASIS Standard status. A ZIP file containing all the specs and schemas is available.

SAML (Security Assertion Markup Language) "defines the syntax and processing semantics of assertions made about a subject by a system entity. In the course of making, or relying upon such assertions, SAML system entities may use other protocols to communicate either regarding an assertion itself, or the subject of an assertion. The specification defines both the structure of SAML assertions, and an associated set of protocols, in addition to the processing rules involved in managing a SAML system. SAML assertions and protocol messages are encoded in XML and use XML namespaces."

SAML assertions "are typically embedded in other structures for transport, such as HTTP POST requests or XML-encoded SOAP messages. The SAML bindings specification provides frameworks for the embedding and transport of SAML protocol messages. The SAML profiles specification provides a baseline set of profiles for the use of SAML assertions and protocols to accomplish specific use cases or achieve interoperability when using SAML features."

The OASIS SAML Version 2.0 effort "addresses issues and enhancement requests that have arisen from experience with real-world SAML implementations and with standards architectures that use SAML, such as the OASIS WSS and XACML work. It adds support for features that were deferred from previous versions of SAML for schedule reasons, such as session support, the exchange of metadata to ensure more interoperable interactions, and collection of credentials. It seeks convergence on a unified technology approach for identity federation by integrating the specifications contributed by the Liberty Alliance."

SAML is a flexible and extensible protocol designed to be used by other by other standards.The Liberty Alliance, the Internet2 Shibboleth project, and OASIS Web Services Security (WS-Security) have all adopted SAML as a technological underpinning to varying degrees.

SAML 1.0 became an OASIS standard in November 2002, and SAML 1.1 followed in September 2003. SAML has seen significant success within industry — gaining momentum in financial services, higher education, government, and other verticals. SAML has been broadly implemented by all major Web access management vendors. SAML is also supported in major application server products and SAML support is also common among Web services management and security vendors. SAML 2.0 builds on that success.

See also the XML.com article: "SAML 2: The Building Blocks of Federated Identity." By Paul Madsen. From XML.com (January 12, 2005). "As web services promise to enable integration between business partners through loose-coupling at the application and messaging layer, federation does so at the identity management layer by insulating each domain from the details of the others identity management infrastructure. SAML provides the federated identity building blocks on which other federated architectures can be constructed. With SAML 2.0 now providing a stable and full-featured federated identity security infrastructure, focus can now shift to this work. For instance, the Liberty Alliance's ID-Web Services Framework (Liberty ID-WSF) defines a framework for identity-based web services that leverages the SAML layer. Liberty ID-WSF uses SAML as the mechanism by which the authentication status of a user and the identity and authorizations of web sites can be communicated as part of a SOAP request for some piece of that user's personal information (e.g., their online calendar). Upon ratification as an OASIS Standard, expected in early 2005, SAML 2.0 is expected to become the primary standard for federated identity... SAML defines an XML-based framework for communicating security and identity (e.g., authentication, entitlements, and attribute) information between computing entities. SAML promotes interoperability between disparate security systems, providing the framework for secure e-business transactions across company boundaries. By abstracting away from the particulars of different security infrastructures (e.g., PKI, Kerberos, LDAP, etc), SAML makes possible the dynamic integration necessary in today's constantly changing business environments."

Principal References

• Announcement: "Liberty Alliance Releases Second Version of Web Services Framework Specifications. New Release Provides Support for SAML 2.0 and Marks a Significant Step in the Convergence of Identity Specifications."
• Liberty Specifications
• Liberty Alliance ID-WSF 2.0 Specifications
• ID-WSF 2.0 complete distribution. 2005-02-11 ZIP archive.
• Liberty Alliance web site
• Liberty Alliance FAQ document
• On SAML 2.0:
  • SAML 2.0 Public Review documents. See the listing.
  • Overview of SAML V2.0 document deliverables
  • "OASIS Security Services TC Releases Approved SAML 2.0 Committee Drafts for Review."
  • "OASIS Security Services TC Releases SAML 2.0 Documents for Public Review."
  • OASIS Security Services TC web site
  • SSTC Charter
  • SSTC FAQ document. "This document helps to answer frequently asked questions about SAML (Security Assertion Markup Language)."
  • SSTC TC list archives
  • SAML-DEV list archives. Subscribe using the list manager.
  • SSTC TC comment list archive
  • SSTC documents
  • Contact: Eve Maler (OASIS SSTC Chair; Sun Microsystems)
  • "Security Assertion Markup Language (SAML)" - General references.
• Earlier Liberty Alliance news:
  • "Liberty Alliance Federated Identity Consortium Gains Momentum with New Members." News story 2004-10-21.
  • "Industry Shows Heightened Interest in Federated Identity-Based Web Services." News story 2004-05-26.
  • "Liberty's Federated Identity Project Supported by Intel and Six New Global Alliances."
  • "Liberty Publishes Federated Identity Documents on Mobile Deployments and Identity Theft"
  • "Liberty Alliance Publishes Final Phase 2 Specifications and Previews Phase 3"
  • "Liberty Alliance Publishes Business Requirements and Guidelines for Identity Federation"
  • "Liberty Alliance Releases Phase 2 Specifications for Federated Network Identity"
  • "Government Agencies Join Liberty Alliance to Support Digital Identity Standards"
  • "Sun ONE Identity Server 6.0 Supports Liberty Alliance and SAML Specifications"
  • "Liberty Alliance Releases Draft Version 1.1 Specifications for Public Review"
• "Liberty Alliance Specifications for Federated Network Identification and Authorization" - Main reference page.