SAML, for a better web identity management

The typical lament of a web/network user would be 'remembering too many passwords' in order to access multitude of systems. The advent of web services has further necessitated the requirement for a one-time authentication or a single sign-on by the network users.

Though several developers/ vendors provided proprietary (closed) solutions to tackle the problem, the solutions were not entirely hassle-free. Currently, one such web services security standard initiative–SAML (Security Assertion Markup Language) is being developed by the Organization for the Advancement of Structured Information Standards (OASIS). It is a non-profit, global consortium that is working towards the development, convergence and adoption of e-business security standards.

As enterprises are increasingly deploying access management solutions and other security products in web services environments, the emergence of SAML, a proposed standard for interoperability among web services, has stirred lot of interest in the industry.

According to OASIS report, SAML, is a proposed XML-based framework for exchanging authentication and authorization information among disparate web access management and security products. Using SAML, security information can be expressed as an XML document and securely transmitted from one application to another.

The scope of SAML is basically driven by:

- Browser interaction

- XML message transfer

- Remote authorization

Says Sun Microsystems, Senior Solution Specialist, Sun ONE Software, Jyotinath Ganguly, " The Technical Committee for SAML was set up in June 2001. The SAML version1.0 specification defines a common XML framework for exchanging security assertions among security authorities.

The primary goal is to achieve interoperability across different vendor platforms that provide authentication and authorization services. The SAML initiative is managed by the Security Services Technical Committee (SSTC) of OASIS) and Sun Microsystems is a co-chair of the SSTC in addition to several other technical positions".



The authorization and authentication information is shared across corporate networks, thus enabling single sign-on. So a user authenticated on one company's network can be recognized on another and this authentication enables companies to decide on whom to grant or deny authorization to access companies' resources.

Not only are the users identified, the systems that carry out the execution of web service requests, are also identified. This kind of sharing of user identity is referred to as federated identity management and is one of the emerging key technologies for distributed e-commerce and Web services. The single sign-on feature allows companies to efficiently monitor the user profile and what resources they use. Besides, the authentication info can be used to offer personalized services and portal interfaces.

The purpose of the Committee (XML-Based Security Services TC (SSTC)) is to define an XML framework for exchanging authentication and authorization information. It consists of

• Security assertions
(authentication, attributes and authorization)

• Request/response protocol
for generating and returning assertions

• Bindings
to particular transport protocols (such as SOAP over HTTP)

• Profiles
are set of binding and protocols for how SAML assertions can be embedded or transported between communicating systems.

Accordingly, the framework will produce a set of one or more committee specifications that covers cases and requirements, core assertions, protocols, bindings, and a conformance suite, all of the aforementioned to be examined with respect to security considerations.

Explains Ganguly, "The security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain. Assertions can convey information about authentication acts performed by subjects, attributes, and authorization decisions about whether subjects are allowed to access certain resources."

He continues, " Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes. Note that assertion containing authentication statements merely describe acts of authentication that happened previously."



According to the Committee Specification, the Assertions are issued by SAML authorities, such as authentication authorities, attribute authorities and policy decision-makers. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols.

SAML currently defines one binding, to SOAP over HTTP. SAML authorities can use various sources of information, such as external policy stores and assertions that were received as input in requests, in creating their responses. Thus, while clients always consume assertions, SAML authorities can be both producers and consumers of assertions. <

According to the OASIS report, some of the key advantages ofSAML are:

• Application supporting SAML or single sign-on environment, no user directory duplication or matching is necessary. Security information in the form of SAML assertions moves along with the user path. As a result, users coming from a source web site do not have to re-authenticate themselves at the destination web site.


• In an XML message transfer environment, SAML provides attribute-based authorization that goes significantly beyond authentication based upon XML digital signatures.


• In a remote authorization environment, SAML supports a scalable "hub-and-spoke" security model, which eliminates the requirements for a point-to-point solution. The same language is used by many services to many enterprises.

The SAML OASIS Open Standard consortium consisted of several developers and vendors like Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun Microsystems, Verisign, and other members of the OASIS security services technical committee.

According to Jyotinath, after undergoing several rounds of reviews and evaluation, the SAML v1.0 draft specifications were defined in April 2002, and the OASIS technical specification committee ratified the SAML v1.0 on November 12, 2002. Sun Microsystems, one of the co-chairs of the consortium, proposes to release shortly Sun ONE Identity Server v6, based on SAML standard.