Microsoft ends standoff against SAML 2.0

Microsoft's federated identity platform passed its first SAML 2.0 interoperability test; the company previously shunned the protocol for WS-Federation

Microsoft's federated identity platform passed its first SAML 2.0 interoperability test with favorable marks, signaling the end to the vendor's standoff against the protocol.

The eight-week multivendor interoperability workout conducted by the Liberty Alliance and the Kantara Initiative also resulted in passing marks for two other first-time entrants -- SAP and Siemens. Return testers Entrust, IBM, Novell, and Ping Identity also passed. Results were announced Wednesday.

[ Related: Microsoft's single sign-on platform was formerly named Geneva. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

11 security companies to watch

"The Liberty Interoperable testing was a great opportunity to verify that Active Directory Federation Services (AD FS) 2.0 is interoperable with others' SAML 2.0 implementations. This should give our customers confidence that their federation deployments using ADFS will 'just work,'" says Conrad Bayer, product unit manager for federated identity at Microsoft.

In the past, Microsoft has been dismissive of the Security Assertion Markup Language (SAML), a standard protocol for exchanging authentication and authorization data between and among security checkpoints, preferring the WS-Federation and other protocols it helped develop. The company previously supported the SAML token, but never the transport profiles of the protocol.

"It is significant that Microsoft participated given their previous stance on the SAML protocol," says Gerry Gebel, an analyst with the Burton Group. "For the first product version that supports SAML, they have covered the core bases."

Microsoft's interoperability testing focused on SAML's Service Provider Lite, Identity Provider Lite and eGovernment profiles. The company says it plans to support other SAML profiles based on demand.

The interoperability event featured the largest group of participants ever for the testing, which has been run twice previously. In addition, it was the first test to include an international group to test the eGovernment SAML 2.0 profile v1.5. The test featured the United States, New Zealand and Denmark.

"The fact that we were able to put so many new implementations through a full matrix, rigorous interoperability test speaks to the maturity of the SAML 2 protocol," says Brett McDowell, executive director of the Kantara Initiative. "And it is not just implementation; there is a tremendous amount of deployments."

"Full matrix" testing means all participants must test against each other. The test was conducted over the Internet from points around the globe using real-world scenarios between service providers and identity providers as defined by the SAML 2.0 specification.

Microsoft participated in the testing with Active Directory Federation Services 2.0 (formerly code-named Geneva), which is slated to ship later this year. ADFS 2.0 is part of a larger identity platform that includes Windows Identity Foundation and Windows Cardspace.

Microsoft said earlier this year it would have SAML 2.0 certification before it released Geneva. The SAML profiles ADFS 2.0 supports cover the core features of federation.

ADFS 2.0 provides identity information and serves as a Security Token Service (STS), a transformation engine that is key to Microsoft's identity architecture. ADFS lets companies extend Active Directory to create single sign-on between local network resources and cloud services.

It wasn't all smooth sailing for Microsoft, however, as some participants reported problems using Internet Explorer 6.0 and 7.0 for SAML single sign-on, which is primarily a Web browser action.

The issue was noted in a report by the Drummond Group, which conducted the testing, and centered on long URL values mostly when encryption was enabled during specific operations. Internet Explorer does not accept URLs longer than 2,083 characters. Testers got around the issue by using other browsers. Microsoft tested against IE 8 and Firefox 3.5.2.

While Microsoft's participation was an important milestone for the advancement of SAML, McDowell says the current testing is significant on other fronts.

The test marks a transition with the Kantara Initiative now taking over future tests. The group will adopt the Liberty Alliance testing methods and expand the scope of tests to include other protocols in addition to SAML. And it will build off the eGovernment profile testing as new profiles for other vertical markets, including healthcare and telecommunications, are developed.

"Having countries come together and agree on a deployment profile, that is not to be understated," McDowell says. The level of cooperation between governments will serve as a model for other industries, he says.

In addition, next year Kantara will pick two other protocols to test from a list made up of WS-Security, Information Card, Identity Metasystem Interoperability, OAuth, and XRD.

Kantara also will take cues from Project Concordia and eventually begin to test cross-protocol interoperability.

The next Kantara interoperability test is slated for next year.

Follow John on Twitter.

This story, "Microsoft ends standoff against SAML 2.0" was originally published by Network World.