Security/identity · 2005-03-16

SAMLicious

Mmm, smell that wonderful scent coming from the OASIS kitchens? SAML V2.0 is out of the oven!*

It turns out that crossing the streams was a very good idea in the latest work on SAML. The new version unifies the approaches in SAML V1.x, the Liberty Alliance’s Identity Federation Framework (ID-FF V1.2), and Internet2’s Shibboleth initiative. A lot of industries have been following the progress of SAML V2.0; here’s one article covering the news, and here’s the official OASIS press release that provides the vital stats and quotes from some of the major participants in the work.

A snippet from the Executive Overview will provide some context if you’re unfamiliar with SAML:

Federation is the dominant movement in identity management today. Federation refers to the establishment of some or all of business agreements, cryptographic trust, and user identifiers or attributes across security and policy domains to enable more seamless cross-domain business interactions. As web services promise to enable integration between business partners through loose coupling at the application and messaging layer, federation does so at the identity management layer – insulating each domain from the details of the others’ authentication and authorization infrastructure.

Key to this loose coupling at the identity management layer are standardized mechanisms and formats for the communication of identity information between the domains – the standard provides the insulating buffer. The Security Assertion Markup Language (SAML) defines just such a standard.

The elevator pitch might be that SAML is the universal solvent of security and identity information. I’ve been excited about it for more than four years now, ever since its predecessor S2ML was published; SAML has proven to be a key component of honest-to-goodness success in cross-domain sharing of authentication and access control information. The addition of the Shibboleth and Liberty perspectives has ensured that SAML now has a more comprehensive solution for privacy protection, too.

A ton of people worked on this stuff, but Scott Cantor of Ohio State University has to be mentioned as the guy who went above and beyond the call of duty every single week. The original plan was to finish work by summer 2004, and we did manage to publish Committee Drafts (formal review drafts that are stable to a first approximation) last August. The process of discovering and fixing various nits led to a few more CD review cycles, and we also had a great interop exercise at the RSA conference recently, so I have a fair degree of confidence that the converged specs are clean, workable, interoperable, and even — dare I say it? — mature.

*Well, there is a section in the SAML Profiles spec that defines common domain cookies…