Widespread Web services adoption was not hinging on this week's ratification of the Security Assertion Markup Language (SAML), version 1.0, as an open standard by the Organization for the Advancement of Structured Information Standards (OASIS).
Instead, what acceptance of SAML does is enable transactions among enterprises, connecting collaborative applications in a secure way without being tied to a particular vendor's security tools, said Bob Blakely, IBM Tivoli's chief scientist for security and privacy. Blakely was IBM's representative to the OASIS Security Services Technical Committee and general editor of the SAML specification document.
"There's going to be a big uptake in Web services adoption any way because companies like IBM, Sun, Microsoft and others are committed to Web services," Blakely said. "SAML is not the crucial missing link for Web services adoption. That will happen. What is going to happen is that for developers building supply chain and collaborative applications, it will be easier to do that while making independent technology choices."
SAML is an XML-based framework that allows for the secure exchange of authentication and authorization information among business partners, OASIS said. SAML enables Web-based security interoperability functions, such as single sign-on across sites hosted by multiple companies.
"Not only is SAML a stable set of specifications to develop to, but it has achieved consensus among the OASIS membership that it is ready for prime time," said Eve Maler, XML standards architect for Sun Microsystems Inc. and one of the co-founders of OASIS' SSTC. "It will allow enterprises to develop security services and identity services that interoperate to a high degree."
Blakely added: "SAML is the last tool in a security-protocol builder's tool kit. It's a way for one participant in a Web services transaction to make statements to another participant."
SAML is a medium for making authentication and attribute assertions about Web services participants, identifying who they are and what permissions they have during a transaction. SAML allows both ends of a transaction to execute their business regardless of protocol, Blakely said.
"SAML 1.0 concentrates on single sign-on, and that's of core import for consumers and enterprises alike, where they can use federated identities on affiliated sites and take advantage of services offered," Maler said. "A lot of enterprise portal environments will be interested in SAML 1.0."
The SAML framework complements industry-standard protocols like XML Signature, XML Encryption and SOAP, which lack security features. According to OASIS, it is easily integrated into HTTP environments and standard Web browsers.
"SAML allows vendors to interoperate for the benefit of their customers," said Jeff Hodges of Sun Microsystems, co-chair of the OASIS Security Services Technical Committee, in a statement this week. "The standard is easily implemented by companies in existing environments, and SAML-aware security applications are already being introduced. Related security initiatives, such as Liberty Alliance's Version 1.0 Specification, are leveraging SAML in order to more quickly realize their goals."
Companies like Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun Microsystems, VeriSign and others were involved in developing SAML.
Numerous vendors, including Netegrity, Sigaba, IBM and Microsoft, are already working on including support for SAML in their products and were waiting for the ratification of the final draft to begin final product testing and shipping plans.
"The next step is for vendors to start shipping it in their products," Blakely said. "I believe that by the end of 2003, it will be difficult to find a Web services product that does not consume SAML assertions."
Maler also said that SAML 1.0 will go a long way toward commoditizing security tools.
"Vendors of specific security solutions will be able to interoperate a great deal more," she said. "This gives enterprise consumers more of a choice as these services become commoditized. It levels the playing field somewhat and fosters some good, healthy competition."