RSA: Single Sign-On Off The Drawing Board

by Erin Joyce

A key protocol for securing identities among trading partners is taking hold in the commercial world. Will more major tech companies support the spec?

SAN FRANCISCO -- Single sign-on is finally moving from theory to practice in the commercial world, thanks to the growing adoption of the Security Assertion Markup Language (SAML 2.0) specification, a key protocol for secure digital identity management within Web-based transactions.

Now, the question is whether more technology vendors will support the markup language in their digital identity platforms.

During the RSA Security conference here, some 13 vendors joined the U.S. General Service Administration (GSA) to demonstrate their support for the GSA's e-Gov program of conducting secure transactions, using the SAML 2.0 specification (define) . The GSA is aiming for full implementation by this summer.

Member companies within industry standards body OASIS (Organization for the Advancement of Structured Information Standards), which built the SAML 2.0 spec, must still formally approve version 2.0. But the final vote is academic.

Major technology vendors such as Oracle, Computer Associates, and RSA Security are already shipping new identity management products and appliances built on the SAML 2.0 spec or have products in the works that will support the SAML spec.

In the process, more companies and business partners are conducting high-value transactions with the secure log-in specifications. The markup language helps trading partners exchange authentication, authorization and nonrepudiation information in the same manner across different Web sites.

Rob Philpott, a senior consulting engineer at RSA Security, said the spec's growth got a leg up from the contributions and support of Liberty Alliance, another Web services identity management group.

"If you look at the backers of the Liberty Alliance, and the backers of SAML, they're one and the same now. It's not a contest," Philpott told internetnews.com. "Identity is central in the digital ID world. You need to be able to know who the user is. How do we know the person doing the transaction is who they say they are? We need ways to federate those identities. You also want to control who has access to that ID information. SAML 2.0 helps do that."

The support of the Liberty Alliance, the Sun Microsystems-led initiative started by Sun as an alternative to Microsoft's .NET and Passport digital identity management systems, is key, since the Liberty Alliance is also working on Web services security and messaging protocols.

Philpott, who heads the OASIS technical committee that wrote the final SAML 2.0 spec, likened the growing use of SAML 2.0 to the adoption of the TCP/IP networking protocol, a standard the technology industry rallied around in order to help make widespread adoption of Internet technologies possible.

Oracle's Uppili Srinivasan, a senior director for the company's identity management and security products group, said Web services are rapidly becoming the cornerstone for integration and B2B transactions. "SAML 2.0 will further propagate the use of Web services for federated identity management to securely connect customers, partners and employees with the information they need."

But even with support of major tech vendors, such as Sun Microsystems, Oracle and even IBM via their participation in the Liberty Alliance's approval of the spec, SAML adoption still needs the blessing of that other major tech company: Microsoft .

"We're still faced with a situation whereby if you are in an all-Windows world, you do it the Microsoft way. If you're in a non-Windows world, you do it the SAML way," said John Pescatore, a security analyst with Gartner. "So we'll still have a lot of interoperability problems" without Microsoft's participation in deploying the spec.

Microsoft has commented on the SAML 2.0 spec within different working groups and supports it within development tools as part of the Microsoft Developers Network (MSDN). Plus, it has been warming to SAML in recent years, especially as it moves away from supporting its Passport system along with partner companies. For example, eBay announced in December that it would no longer support Passport.

Microsoft is a member of the Web Services Interoperability Organization, another industry group that promotes Web services interoperability across platforms, operating systems and programming languages. OASIS members and other working groups said they are optimistic that the WSI will also build in support for SAML 2.0 the way the Liberty Alliance has.

Indeed, some competing security specifications from the WSI actually complement SAML already, Philpott added. "You can use SAML assertions to describe rich claims about an identity that you can't do with other tokens. So you can use SAML within WS security tokens to secure Web services."

Philpott said OASIS is now working with the International Telecommunications Union to see if it will support the SAML 2.0 spec, and is now looking for more ways that different Web services standards groups can converge on the same markup language for identity management tokens.

But for now, he added, SAML 2.0 has the benefit of real implementations to help the market drive adoption, rather than specifications based on theory.

This article was originally published on Thursday Feb 17th 2005