Microsoft says it won't support SAML 2.0

Microsoft backs WS-Federation protocols for next generation of message-based apps

Microsoft will stick by the set of protocols it has picked for identity federation, a concept that includes single sign-on (SSO) for several different Web portals and secure transfers of data between partnered businesses.

Microsoft has backed WS-Federation protocols for the next generation of message-based applications because it offers a full suite of security, message, and transaction protocols, said Don Schmidt, senior program manager for Microsoft's Identity and Access group. The company's stance is not about which protocol set is necessarily better but rather which offers a wider flexibility in accommodating federated identity, he said.

Schmidt gave a session Thursday on ADFS (Active Directory Federation Services), Microsoft's software for federated identity, at Microsoft's IT Forum 2005 in Barcelona.

The WS-Federation protocols compete with the SAML (Security Assertion Markup Language) 2.0 specification, which so far has strong footing in the race to create secured identity federation across organizations. SAML 2.0 is backed by consortiums such as the Liberty Alliance and the Organization for the Advancement of Structured Information Standards (OASIS).

SAML 2.0 protocols are fine for strictly Web single sign-on, Schmidt said. But the WS-Federation protocols are better equipped to deal with a distributed Web services environment for message reliability, transaction support and security, he said. SAML 2.0 does not have reliable messaging or transaction support, he said.

The problem for businesses is when they want to federate but have chosen a different set of protocols. Vendors are developing translators between the two standards, but Schmidt said those potentially could have a security problem since there a middle point where the data is processed, although he said he believes those systems will improve.

Microsoft will soon start shipping "a whole lot" of servers use WS-Federation protocols, and those client computers will be compatible, Schmidt said.