OASIS ratifies SAML 1.1

The OASIS Internet standards consortium said Monday that its members ratified SAML (Security Assertion Markup Language) Version 1.1 as an official standard, approving changes to the specification will improve interoperability with other Web services security standards.

The vote assigns the highest level of OASIS (The Organization for the Advancement of Structured Information Standards) ratification to SAML 1.1 and could open the door for wider adoption of the XML (Extensible Markup Language) framework for companies using Web services to conduct high value transactions, according to Prateek Mishra of Netegrity Inc., co-chair of the OASIS Security Services Technical Committee.

SAML is a standard that supports so-called "federated identity" systems in which user authentication and authorization information is securely exchanged between Web sites within an organization or between organizations. SAML enables a user to sign on once to Web-enabled services, instead of having to repeatedly log in when they move from one Web site or Web-enabled application to another.

The SAML 1.0 standard, which was approved in November 2002, is widely in use by major corporations including The Boeing Co. and Fidelity Investments Inc., Mishra said.

The new version of SAML includes a number of updates and fixes for problems identified in the 1.0 standard, he said.

In particular, SAML 1.1 revised guidelines for the use of digital certificates to sign SAML user authentication exchanges, known as SAML assertions. SAML 1.0 standards were vague about how to digitally sign SAML assertions, creating interoperability problems between different companies implementing Web services using the 1.0 standard, Mishra said.

Only a "small group" of companies are currently interested in using digital certificates to sign SAML assertions. However, that group is growing, as companies look for ways to exchange sensitive data with employees and business partners while also verifying that digital transactions took place -- a capability known as "nonrepudiation," he said.

"I think people are definitely getting interested in using SAML for higher value transactions. Organizations want a signed form of nonrepudiation, and we definitely see that as a step towards wider adoption (of SAML), " Mishra said.

Having handed off the SAML 1.1 standards, OASIS's Security Services Technical Committee is now at work on the SAML 2.0 specification, Mishra said. That version will come with major additions to the standard based on feedback from large companies.

Among other things, the group is looking at ways to implement distributed log out, in which three or more Web sites that share a single login session will synchronize when a user terminates that session.

OASIS also wants to harmonize SAML 2.0 with the Liberty Alliance's ID-FF layer, another federated identity, single-sign on standard, Mishra said.

In a related announcement, RSA Security Inc. said Monday that a new version of the ClearTrust Web access management product includes support for user authorization and authentication using SAML Version 1.1 assertions.

ClearTrust Version 5.5 contains features for generating and processing SAML 1.1 assertions, the company said.

Other new features include Web-based administration of user identities, authentication mapping between Web sites and digital signature and certificate validation.

New management features that use technology licensed from Thor Technologies Inc. improve the ability of users to manage their own login account and password, group membership and user profile, RSA said.

Earlier versions of ClearTrust supported the SAML 1.0 standard, according to an RSA spokeswoman.