- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
The Organization for the Advancement of Structured Information Standards on Wednesday formally approved a standard security protocol that is likely to become the building block for integrating corporate user access control systems over the Internet.
The protocol also is seen as a cornerstone for building a security infrastructure to support emerging Web services.
After nearly two years of work, OASIS stamped the Security Assertion Markup Language 1.0 as an official Open Standard, the group’s highest level of ratification.
SAML 1.0 is an XML-based framework for exchanging authentication and authorization credentials over the Web. The protocol incorporates other XML-based standard protocols, including XML Signature, XML Encryption, and the Simple Object Access Protocol (SOAP).
SAML promises to give corporations a way to tie together disparate security systems internally and with business partners. It would allow users to obtain a SAML “assertion” containing user identity and access controls from one site and use it to gain access to other sites that support the SAML specification.
“SAML is perfect for single sign-on in browser-based environments and for [business-to-business] server interaction when live users are not involved,” says Marc Chanliau, the senior product manager for XML technologies at Netegrity who helped develop the protocol. Netegrity has two SAML-compliant products, SiteMinder and Transaction Minder.
Netegrity is one of a handful of vendors with products that support SAML, including Baltimore Technologies, Crosslogix, Entegrity Solutions, ePeople, Novell, OverXeer, Oblix, RSA Security, Sigaba, Sun Microsystems and Tivoli Systems.
The Liberty Alliance, which in July released a specification for creating standard network identities, also has embraced SAML as the core of its initial specification.
Further, SAML is being used as part of the WS-Security specification for securing Web services. That specification was developed by IBM, Microsoft and VeriSign, and the three turned it over to OASIS in June.
WS-Security outlines how to integrate disparate security credentials - such as Kerberos, Public Key Infrastructure and SAML - using a set of extensions to SOAP. WS-Security will allow Web services to pass secure and signed messages, a process that today requires a patchwork of proprietary technologies.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment