03/14/2005

OASIS, the international e-business standards consortium, today announced that its members have approved the Security Assertion Markup Language (SAML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SAML v2.0 enables the secure exchange of authentication, attribute, and authorization information between disparate security domains, making vendor-independent Web single sign-on and secure e-business transactions possible. Version 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information.

“Prior to SAML, there was no XML-based standard that enabled the exchange of security information between a security system and an application,” said John Pescatore, analyst at Gartner, Inc. “SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it also specifies a Web services-based request/reply protocol for exchanging these statements.”

“The number of digital identities in today’s world is exploding and business partners need better ways to federate and manage those identities in order to control access to their resources in the face of growing regulatory and compliance requirements,” noted Rob Philpott of RSA Security, co-chair of the OASIS Security Services Technical Committee. “SAML v2.0 is the convergence point for the major identity federation initiatives deployed in the industry today; that is, SAML v1.x, Liberty ID-FF, and the Internet2's Shibboleth effort. With the release of SAML v2.0, the industry now has a very robust, proven foundation upon which to build identity-based solutions that meet those requirements.”

SAML leverages core Web services standards including XML, SOAP, Transport Layer Security (TLS), XML Signature (XMLSIG), and XML Encryption (XMLENC).

“SAML v2.0 builds on the success of SAML v1.1 by providing a full-featured foundation for identity federation on the Internet,” explained Prateek Mishra of Principal Identity, co-chair of the OASIS Security Services Technical Committee. “Some of its features fill in important ‘gaps’ observed in practical deployments: for example, the attribute profiles and metadata specification simplify agreement between businesses participating in a federation. Other features such as encryption, pseudonyms and user consent enable confidentiality and privacy of information about users.”

“SAML v2.0 has the benefit of real implementations in a variety of industries to help the market drive adoption,” stated Patrick Gannon, president and CEO of OASIS. “Major technology vendors are already shipping identity management products and appliances built on SAML, and governments are incorporating it into their architectures. Many other key XML standards already have defined clear profiles for working with this flexible and extensible OASIS Standard for the federated model of identity management.”

Over 27 member organizations globally participate in this ongoing work, including representatives of AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, and Sun Microsystems. Participation remains open to all, and suppliers, end-users, and systems integrators are invited to join OASIS to advance the continued development and adoption of SAML. OASIS hosts an open mail list for public comment and the saml-dev mailing list for exchanging information on implementing the standard.

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 4,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include AVDL, CAP, DocBook, DSML, ebXML, SAML, SPML, UBL, UDDI, WSDM, WS-Reliability, WSRP, WSS, XACML, and XCBF.

For more information, access http://www.oasis-open.org