Liberty and SAML for All

Looking to tame the wild world of Web services, the Liberty Alliance Friday submitted new network identity specifications to an industry standards board for use in future version of the SAML authentication language.

Pronounced “Sam-el,” its XML-based framework helps secure transmitted communications over the Internet. SAML is also important because it defines mechanisms to exchange authentication, authorization and nonrepudiation information. That designation holds the key for allowing single sign-on capabilities for Web services.

The Organization for the Advancement of Structured Information Standards (OASIS), ratified Version 1.0 of SAML in November 2002. The standards group is currently working on version 2.0.

At the request of OASIS, the Alliance said it contributed Phase 1 network identity specifications and chose to extend SAML in version 1.1 to include additional security enhancements vital to identity management, such as opt-in account linking, simple session management and global log-out capabilities. The group is expected to detail further its new version at the RSA Security conference here this week.

However, the submission somewhat counters efforts by Microsoft and IBM to come up with their own identity standard based on WS-Security. WS-Security defines a set of SOAP extensions which can be used to implement integrity and confidentiality in Web services applications, laying the groundwork for higher-level facilities like federation, policy and trust.

Analysts say the fragmentation is a sign that the Web Services Interoperability organization (WS-I) — the umbrella organization under which Microsoft, IBM, and the others are developing their specifications — may not be working with Liberty, despite the thaw in relations since Sun was voted to its core board of directors.

While OASIS has historically favored Liberty’s approach, the group said it would consider all submissions to SAML 2.0 at this time.

“Collaboration between standards groups enables the Web services industry to move forward at a pace that meets the needs of the market,” OASIS president and CEO Patrick Gannon said in a statement. “As SAML evolves, it makes sense to leverage the work Liberty Alliance has already done in this area. Our mutual goal is to decrease time-to-market for new technology, enhance interoperability between products and drive broader adoption of open standards.”

SAML is one of several security standards being developed at OASIS. Other specifications include WS-Security for high-level security services, XACML for access control, XCBF for describing biometrics data, SPML for exchanging provisioning information, and XrML for rights management.

The Liberty Alliance currently boasts some 160 supporting companies. Founding members of the Alliance are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone.

The group is the brainchild of Sun Microsystems as an alternative to Microsoft’s .NET and Passport initiatives. The idea is to create standards for identifying users the first time they log on and then letting other sites recognize and authenticate the user.

“We will continue to work closely with OASIS as the Liberty Alliance federated identity architecture evolves,” said Michael Barrett, president of the Liberty Alliance Management Board and vice president for Internet strategy at American Express. “The Alliance will continue to develop Liberty’s Identity Federation Framework, and plans to collaborate closely with OASIS on future enhancements.”