Contents

• Summary
• Bibliographic Information
• What's New in SAML Version 2.0
• Principal References

The Organization for the Advancement of Structured Information Standards (OASIS) has approved Version 2.0 of the Security Assertion Markup Language (SAML) as an OASIS Standard. The specification was produced by members of the OASIS Security Services Technical Committee.

The SAML standard "leverages core Web services standards including XML, SOAP, Transport Layer Security (TLS), XML Signature (XMLsig), and XML Encryption (XMLenc). It defines a framework for exchanging security information between online business partners. It allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application."

SAML Version 2.0 "enables the secure exchange of authentication, attribute, and authorization information between disparate security domains, making vendor-independent Web single sign-on and secure e-business transactions possible. Version 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information."

A key feature of SAML is its support for federated identity — one that is "both portable and potable, so it can be transported and consumed across autonomous domains or business boundaries. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the crossdomain transactions that it enables, a reality."

According to Rob Philpott, co-chair of the OASIS Security Services Technical Committee. "SAML v2.0 is the convergence point for the major identity federation initiatives deployed in the industry today; that is, SAML v1.x, Liberty ID-FF, and the Internet2's Shibboleth effort. With the release of SAML v2.0, the industry now has a very robust, proven foundation upon which to build identity-based solutions that meet those requirements."

Earlier this year, thirteen vendors from around the world teamed with the U.S. General Service Administration (GSA) E-Gov E-Authentication Initiative to demonstrate interoperability of the Security Assertion Markup Language (SAML) 2.0. The OASIS Federated Identity InterOp Lab, co-sponsored by GSA E-Authentication Initiative, Enspier, and RSA Security, demonstrated a combination of web single sign-on, and single logout scenarios.

In February 2005 the Liberty Alliance announced a public draft release of its Identity Web Services Framework (ID-WSF) Version 2.0 in a Phase One distribution that supports the OASIS SAML 2.0 release. Liberty's ID-WSF 2.0 is a second-generation framework for identity-based Web services which "has been extended to include support for SAML 2.0, specifically defining how SAML 2.0 assertions can be used to communicate identity information among identity-based Web services." The ID-WSF 2.0 release is "part of a Liberty Alliance roadmap for WSF 2.0 specifications that are being released in phases to accommodate rapid industry deployment. The first phase is focused on SAML 2.0 support.

Shibboleth has also profiled SAML for its particular requirements: Shibboleth is a project within the Internet2 higher education consortium to develop technical and policy frameworks and an open software system for the sharing of online resources among researchers, professors, and students. Shibboleth's input has been fed back into SAML.

XACML (Extensible Access Control Markup Language) is "an XML-based language for access control that has been standardized in OASIS. XACML describes both an access control policy language and a request/response language. The policy language is used to express access control policies ('who can do what when'). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses). The newest versions of XACML and SAML have been designed to complement each other; for example, an XACML policy can specify what a provider should do when it receives a SAML assertion, and XACML-based attributes can be expressed in SAML."

There is also now a "SAML token profile of WS-Security that specifies how SAML assertions can be used to provide message security. Additionally, SAML itself points to WS-Security as an approved mechanism for securing SOAP messages carrying SAML protocol messages and assertions."

OASIS reports that at least twenty-seven (27) member organizations participate in ongoing SAML technical work, including representatives of AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, and Sun Microsystems.

Bibliographic Information

• Security Assertion Markup Language (SAML) V2.0 is distributed in the form of a ZIP archive containing eight (8) prose specification documents and supporting XML Schema files (main schema files, main authentication context schema files, and authentication context class schema files). See the file listing and ZIP archive.

  The prose specification documents are listed below:

  • Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 19 pages. "This normative specification provides the technical requirements for SAML V2.0 conformance and specifies the entire set of documents comprising SAML V2.0."
  • Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), John Kemp (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 87 pages. "This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information."
  • Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), Frederick Hirsch (Nokia), John Kemp (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 46 pages. "This specification defines protocol bindings for the use of SAML assertions and request-response messages in communications protocols and frameworks."
  • Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by John Hughes (Atos Origin), Scott Cantor (Internet2), Jeff Hodges (Neustar), Frederick Hirsch (Nokia), Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 66 pages. "This specification defines profiles for the use of SAML assertions and request-response messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions."
  • Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Scott Cantor (Internet2), Jahan Moreh (Sigaba), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 40 pages. "SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way. This document defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles. Such roles include that of Identity Provider, Service Provider, Affiliation, Attribute Authority, Attribute Consumer, and Policy Decision Point.
  • Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by John Kemp (Nokia), Scott Cantor (Internet2), Prateek Mishra (Principal Identity), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 70 pages. "This specification defines a syntax for the definition of authentication context declarations and an initial list of authentication context classes for use with SAML."
  • Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Frederick Hirsch (Nokia), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 33 pages. "This non-normative specification describes and analyzes the security and privacy properties of SAML.
  • Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. Edited by Jeff Hodges (Neustar), Rob Philpott (RSA Security), and Eve Maler (Sun Microsystems). 16 pages. "This specification defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents."

• Security Assertion Markup Language (SAML) 2.0 Technical Overview. Edited by John Hughes (Atos Origin) and Eve Maler (Sun Microsystems), with contributions from Hal Lockhart (BEA). Working Draft version 03. February 20, 2005. 40 pages. Document identifier: 'sstc-saml-tech-overview-2.0-draft-03'. Non-normative document. Abstract: "The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards). This document provides a technical description of SAML V2.0."

• SAML Executive Overview. Produced by members of the OASIS Security Services (SAML) Technical Committee. March 10, 2005. Version 2, draft 6. 5 pages. SAML "is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application..."

• SAML Implementation Guidelines. Working Draft 01. August 27, 2004. 40 pages. Document identifier: 'sstc-saml-implementation-guidelines-draft-01'. Edited by Charles Knouse, with contributions from the Liberty ID-FF Implementation Guideline contributors. Abstract: "This non-normative specification provides guidelines for the implementation of applications using SAML assertions, protocol, bindings, and profiles."

What's New in SAML Version 2.0

SAML Version 2.0 introduces several new features, as summarized in the SAML Executive Overview:

• Pseudonyms: SAML V2.0 defines how an opaque pseudo-random identifier with no discenible correspondence with meaningful identifiers (for example, emails or account names) can be used between providers to represent principals. Pseudonyms are a key privacy-enabling technology because they inhibit collusion between multiple providers (as would be possible with a global identifier such as an email address)

• Identifier management: SAML V2.0 defines how two providers can establish and subsequently manage the pseudonym(s) for the principals for whom they are operating.

• Metadata: The metadata specification defines how to express configuration and trust-related data to make deployment of SAML systems easier. In doing this, it identifies the actors involved in the various profiles, such as SSO Identity Provider and Service Provider, and Attribute Authority and Requester. The data that must be agreed on between system entities includes supported roles, identifiers, supported profiles, URLs, certificates and keys.

• Encryption: SAML V2.0 permits attribute statements, name identifiers, or entire assertions to be encrypted. This feature ensures that endto- end confidentiality of these elements may be supported as needed.

• Attribute Profiles: Attribute profiles simplify the configuration and deployment of systems that exchange attribute data. The attribute profiles include:

  • Basic attribute profile: supports string attribute names and attribute values drawn from XML schema primitive type definitions.
  • X.500/LDAP attribute profile: supports canonical X.500/LDAP attribute names and values.
  • UUID Attribute Profile: Use of UUIDs as attribute names.
  • XACML Attribute Profile: formats suitable for processing by XACML.

• Session management: The single logout protocol in SAML V2.0 provides a protocol by which all sessions provided by a particular session authority can be near-simultaneously terminated. As an example, if a principal, after authenticating at an identity provider, achieved single sign-on to multiple service providers, they could be automatically logged out of all of those service providers at the request of the identity provider.

• Devices: SAML V2.0 introduces new support for the mobile world — addressing both the challenges introduced by device and bandwidth constraints and the opportunities made possible by emerging smart or active devices.

• Privacy Mechanisms: SAML V2.0 includes mechanisms that allow providers to communicate privacy policy and settings. For instance, SAML makes it possible to obtain and express a principal's consent to some operation being performed.

• Identity provider discovery: In deployments having more than one identity provider, service providers need a means to discover which identity provider(s) a principal uses. The identity provider discovery profile relies on a cookie written in a common domain between identity and service providers.

Principal References

• SAML Version 2.0 and supporting documents:
  • Announcement 2005-03-14: "Members Approve Security Assertion Markup Language (SAML) v2.0 as OASIS Standard. AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, Sun Microsystems, and Others Advance Standard for Single Sign-On."
  • Announcement 2005-02-16: "OASIS Federated Identity Lab Demonstrates SAML 2.0 Interoperability for GSA E-Gov's E-Authentication Initiative. Computer Associates, DataPower Technology, Entrust, Hewlett-Packard Company, Oracle, RSA Security, Sun Microsystems, and Others Showcase Authentication and Authorization Standard at RSA Conference."
  • SAML V2.0 CD approved as an OASIS Standard: See the file listing and ZIP archive [source .ZIP]
  • Security Assertion Markup Language (SAML) 2.0 Technical Overview. February 20, 2005. [source PDF]
  • SAML Executive Overview. Produced by the OASIS Security Services TC. Revised Version 2.0 Draft. March 10, 2005. [source PDF]
  • SAML Implementation Guidelines. August 27, 2004. [source PDF]
• OASIS Security Services (SAML) TC:
  • SSTC web site
  • SSTC Charter
  • SSTC FAQ document. "This document helps to answer frequently asked questions about SAML (Security Assertion Markup Language)."
  • SSTC members
  • SSTC IPR declarations
  • SSTC TC list archives
  • SAML-DEV list archives. Subscribe using the list manager.
  • SSTC TC comment list archive
  • SSTC document register
• Earlier SAML news stories:
  • "Liberty Identity Web Services Framework (ID-WSF) Supports SAML Version 2.0."
  • "OASIS Security Services TC Releases Approved SAML 2.0 Committee Drafts for Review."
  • "OASIS Security Services TC Releases SAML 2.0 Documents for Public Review."
  • "OASIS SAML Interoperability Event Demonstrates Single Sign-On at RSA Conference."
  • "OASIS TC Approves Version 1.1 Specifications for Security Assertion Markup Language (SAML)."
  • "Sun ONE Identity Server 6.0 Supports Liberty Alliance and SAML Specifications."
  • "Security Assertion Markup Language (SAML) Version 1.0 an OASIS Open Standard."
  • "Burton Group's Catalyst Conference Features SAML Interoperability Event."
• "Security Assertion Markup Language (SAML)" - General references.