Skip to main content

SAML V1.1 is final

Posted by elm on September 11, 2003 at 8:08 AM PDT

Recently I href="http://weblogs.java.net/pub/wlg/331">posted about SAML's wide adoption and its next steps. Well, SAML V1.1 has now become an href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security">
OASIS Standard through a strong show of support from OASIS members, and I can report that the SAML committee's face-to-face meeting this week to plan out the features of V2.0 was a big success.

If you haven't run across the Security Assertion Markup Language before, here's the basic idea. SAML allows for interoperable exchange of security information about subjects, focusing on describing three kinds of things: authentication acts, attributes, and authorization decisions. You can request "assertions" in these forms from "SAML authorities" that you trust.

One especially useful scenario for SAML is single sign-on (SSO), where a user can log in to one website but then proceed to use resources at a website in a different domain -- because SAML assertions are being exchanged that tell the second site that the user's okay. This was the focus of the selection of SAML as an underpinning of the href="http://www.projectliberty.org">Liberty Alliance identity federation work and for Sun's SAML support in its href="http://wwws.sun.com/software/products/identity_srvr/ds_identity.html">Sun ONE Identity Server product. Another scenario is to use SAML assertions to secure a SOAP message, which is achieved by the href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss">
OASIS WSS (Web Services Security) SAML Token Profile work.

SAML is also designed to be extremely extensible while retaining a reasonable level of interoperability, and a number of standards efforts and products have taken advantage of this. We had to blaze a bit of a new W3C XML Schema trail in V1.0 in trying out different methods of extension, and the real-world reports we're getting back will help us refine these methods. One issue is the best way to refer to "standard" user attributes that come from something like an LDAP schema. Currently the XML representation of this in SAML is a simple attribute name string plus an XML Namespaces-like URI (an "attribute namespace" in SAML terms). Another issue is how to improve the XML Schema type hierarchy that we make available for extension and where we should be using the xs:anyType datatype.
(By the way, I'll be giving a href="http://cde.berkeley.edu/events/evemaler/">lecture on XML and extensibility on September 15 at the Center for Document Engineering at UC Berkeley, touching on these sorts of topics.)

If you haven't checked out SAML yet, you can download the specs href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security">
here, and you can also find an open-source toolkit at href="http://www.OpenSAML.org">OpenSAML.org. And if you've got new use cases that you'd like SAML V2.0 to support, make sure to get your comments in as soon as possible (see my previous href="http://weblogs.java.net/pub/wlg/331">post for instructions) because the window will be closing pretty soon.

Related Topics >>