SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
|
News: Cover Stories | | |
Security Assertion Markup Language (SAML) V2.0 Approved as OASIS Standard. |
Contents
The Organization for the Advancement of Structured Information Standards (OASIS) has approved Version 2.0 of the Security Assertion Markup Language (SAML) as an OASIS Standard. The specification was produced by members of the OASIS Security Services Technical Committee.
The SAML standard "leverages core Web services standards including XML, SOAP, Transport Layer Security (TLS), XML Signature (XMLsig), and XML Encryption (XMLenc). It defines a framework for exchanging security information between online business partners. It allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application."
SAML Version 2.0 "enables the secure exchange of authentication, attribute, and authorization information between disparate security domains, making vendor-independent Web single sign-on and secure e-business transactions possible. Version 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information."
A key feature of SAML is its support for federated identity — one that is "both portable and potable, so it can be transported and consumed across autonomous domains or business boundaries. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the crossdomain transactions that it enables, a reality."
According to Rob Philpott, co-chair of the OASIS Security Services Technical Committee. "SAML v2.0 is the convergence point for the major identity federation initiatives deployed in the industry today; that is, SAML v1.x, Liberty ID-FF, and the Internet2's Shibboleth effort. With the release of SAML v2.0, the industry now has a very robust, proven foundation upon which to build identity-based solutions that meet those requirements."
Earlier this year, thirteen vendors from around the world teamed with the U.S. General Service Administration (GSA) E-Gov E-Authentication Initiative to demonstrate interoperability of the Security Assertion Markup Language (SAML) 2.0. The OASIS Federated Identity InterOp Lab, co-sponsored by GSA E-Authentication Initiative, Enspier, and RSA Security, demonstrated a combination of web single sign-on, and single logout scenarios.
In February 2005 the Liberty Alliance announced a public draft release of its Identity Web Services Framework (ID-WSF) Version 2.0 in a Phase One distribution that supports the OASIS SAML 2.0 release. Liberty's ID-WSF 2.0 is a second-generation framework for identity-based Web services which "has been extended to include support for SAML 2.0, specifically defining how SAML 2.0 assertions can be used to communicate identity information among identity-based Web services." The ID-WSF 2.0 release is "part of a Liberty Alliance roadmap for WSF 2.0 specifications that are being released in phases to accommodate rapid industry deployment. The first phase is focused on SAML 2.0 support.
Shibboleth has also profiled SAML for its particular requirements: Shibboleth is a project within the Internet2 higher education consortium to develop technical and policy frameworks and an open software system for the sharing of online resources among researchers, professors, and students. Shibboleth's input has been fed back into SAML.
XACML (Extensible Access Control Markup Language) is "an XML-based language for access control that has been standardized in OASIS. XACML describes both an access control policy language and a request/response language. The policy language is used to express access control policies ('who can do what when'). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses). The newest versions of XACML and SAML have been designed to complement each other; for example, an XACML policy can specify what a provider should do when it receives a SAML assertion, and XACML-based attributes can be expressed in SAML."
There is also now a "SAML token profile of WS-Security that specifies how SAML assertions can be used to provide message security. Additionally, SAML itself points to WS-Security as an approved mechanism for securing SOAP messages carrying SAML protocol messages and assertions."
OASIS reports that at least twenty-seven (27) member organizations participate in ongoing SAML technical work, including representatives of AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, and Sun Microsystems.
Security Assertion Markup Language (SAML) V2.0 is distributed in the form of a ZIP archive containing eight (8) prose specification documents and supporting XML Schema files (main schema files, main authentication context schema files, and authentication context class schema files). See the file listing and ZIP archive.
The prose specification documents are listed below:
- Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 19 pages. "This normative specification provides the technical requirements for SAML V2.0 conformance and specifies the entire set of documents comprising SAML V2.0."
- Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), John Kemp (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 87 pages. "This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information."
- Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), Frederick Hirsch (Nokia), John Kemp (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 46 pages. "This specification defines protocol bindings for the use of SAML assertions and request-response messages in communications protocols and frameworks."
- Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by John Hughes (Atos Origin), Scott Cantor (Internet2), Jeff Hodges (Neustar), Frederick Hirsch (Nokia), Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 66 pages. "This specification defines profiles for the use of SAML assertions and request-response messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions."
- Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), Jahan Moreh (Sigaba), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 40 pages. "SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way. This document defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles. Such roles include that of Identity Provider, Service Provider, Affiliation, Attribute Authority, Attribute Consumer, and Policy Decision Point.
- Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by John Kemp (Nokia), Scott Cantor (Internet2), Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 70 pages. "This specification defines a syntax for the definition of authentication context declarations and an initial list of authentication context classes for use with SAML."
- Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Frederick Hirsch (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 33 pages. "This non-normative specification describes and analyzes the security and privacy properties of SAML.
- Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Jeff Hodges (Neustar), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 16 pages. "This specification defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents."
Security Assertion Markup Language (SAML) 2.0 Technical Overview. Edited by John Hughes (Atos Origin) and Eve Maler (Sun Microsystems), with contributions from Hal Lockhart (BEA). Working Draft version 03. February 20, 2005. 40 pages. Document identifier: 'sstc-saml-tech-overview-2.0-draft-03'. Non-normative document. Abstract: "The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards). This document provides a technical description of SAML V2.0."
SAML Executive Overview. Produced by members of the OASIS Security Services (SAML) Technical Committee. March 10, 2005. Version 2, draft 6. 5 pages. SAML "is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application..."
SAML Implementation Guidelines. Working Draft 01. August 27, 2004. 40 pages. Document identifier: 'sstc-saml-implementation-guidelines-draft-01'. Edited by Charles Knouse, with contributions from the Liberty ID-FF Implementation Guideline contributors. Abstract: "This non-normative specification provides guidelines for the implementation of applications using SAML assertions, protocol, bindings, and profiles."
SAML Version 2.0 introduces several new features, as summarized in the
SAML Executive Overview:
Pseudonyms: SAML V2.0 defines how an
opaque pseudo-random identifier with no
discenible correspondence with meaningful
identifiers (for example, emails or account
names) can be used between providers to
represent principals. Pseudonyms are a key
privacy-enabling technology because they inhibit
collusion between multiple providers (as would
be possible with a global identifier such as an
email address)
Identifier management: SAML V2.0 defines
how two providers can establish and
subsequently manage the pseudonym(s) for the
principals for whom they are operating.
Metadata: The metadata specification defines
how to express configuration and trust-related
data to make deployment of SAML systems
easier. In doing this, it identifies the actors
involved in the various profiles, such as SSO
Identity Provider and Service Provider, and
Attribute Authority and Requester.
The data that must be agreed on between
system entities includes supported roles,
identifiers, supported profiles, URLs, certificates
and keys.
Encryption: SAML V2.0 permits attribute
statements, name identifiers, or entire assertions
to be encrypted. This feature ensures that endto-
end confidentiality of these elements may be
supported as needed.
Attribute Profiles: Attribute profiles simplify
the configuration and deployment of systems
that exchange attribute data. The attribute
profiles include:
- Basic attribute profile: supports string attribute
names and attribute values drawn from XML
schema primitive type definitions.
- X.500/LDAP attribute profile: supports canonical
X.500/LDAP attribute names and values.
- UUID Attribute Profile: Use of UUIDs as attribute
names.
- XACML Attribute Profile: formats suitable for
processing by XACML.
Session management: The single logout
protocol in SAML V2.0 provides a protocol by
which all sessions provided by a particular
session authority can be near-simultaneously
terminated. As an example, if a principal, after
authenticating at an identity provider, achieved
single sign-on to multiple service providers, they
could be automatically logged out of all of those
service providers at the request of the identity
provider.
Devices: SAML V2.0 introduces new support
for the mobile world — addressing both the
challenges introduced by device and bandwidth
constraints and the opportunities made possible
by emerging smart or active devices.
Privacy Mechanisms: SAML V2.0 includes
mechanisms that allow providers to
communicate privacy policy and settings. For
instance, SAML makes it possible to obtain and
express a principal's consent to some operation
being performed.
Identity provider discovery: In deployments
having more than one identity provider, service
providers need a means to discover which
identity provider(s) a principal uses. The identity
provider discovery profile relies on a cookie
written in a common domain between identity
and service providers.
- SAML Version 2.0 and supporting documents:
- Announcement 2005-03-14: "Members Approve Security Assertion Markup Language (SAML) v2.0 as OASIS Standard. AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, Sun Microsystems, and Others Advance Standard for Single Sign-On."
- Announcement 2005-02-16: "OASIS Federated Identity Lab Demonstrates SAML 2.0 Interoperability for GSA E-Gov's E-Authentication Initiative.
Computer Associates, DataPower Technology, Entrust, Hewlett-Packard Company, Oracle, RSA Security, Sun Microsystems, and Others Showcase Authentication and Authorization Standard at RSA Conference."
- SAML V2.0 CD approved as an OASIS Standard: See the file listing and ZIP archive [source .ZIP]
- Security Assertion Markup Language (SAML) 2.0 Technical Overview. February 20, 2005. [source PDF]
- SAML Executive Overview. Produced by the OASIS Security Services TC. Revised Version 2.0 Draft. March 10, 2005. [source PDF]
- SAML Implementation Guidelines. August 27, 2004. [source PDF]
- OASIS Security Services (SAML) TC:
- Earlier SAML news stories:
- "Security Assertion Markup Language (SAML)" - General references.
|
| Receive daily news updates from Managing Editor, Robin Cover.
|
|