SAML (the Security Assertion Markup Language) has been stable since May 2002 and has been an OASIS Standard since November. There have been a couple of large and successful interop events showing how to use SAML for single sign-on across domains, the first event in July 2002. Security and access management vendors, not least Sun with the Sun ONE Identity Server, have been falling all over themselves to produce SAML-compliant products, and you can get free toolkits from organizations such as OpenSAML to try it out. It looks like SAML is here to stay.

Now the OASIS SAML Technical Committee, of which I'm a member (and the main spec editor), has produced a Version 1.1 that cleans up a few items in the specifications and makes its XML Signature usage more robust based on more real-world experience with that spec. The balloting process in pursuit of OASIS Standard status has begun.

And we've already begun work on SAML Version 2.0, which will focus on adding and aligning functionality based on real use cases and applications of SAML. Since it is being used as a base layer for various other standardization efforts, including (most famously but not exclusively) the Liberty Alliance Project, along with several high-profile commercial deployments such as Boeing's, we have a great chance to take SAML to the next level of utility and interop.

To that end, the SAML TC has put out a call for implementation experience. If you have been using SAML, particularly if you found yourself creating a new profile of SAML usage, I hope you'll drop us a line and let us know about your experience. And if you're not already on the saml-dev online forum for sharing implementation questions and answers, it's a good idea to join. You can also join the security-services-comment list for submitting direct comments on the specs.