Members Approve Security Assertion Markup Language - SAML - v2.0 as OASIS Standard

Business Wire, March 14, 2005

BOSTON -- AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, Sun Microsystems, and Others Advance Standard for Single Sign-On

OASIS, the international e-business standards consortium, today announced that its members have approved the Security Assertion Markup Language (SAML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. SAML v2.0 enables the secure exchange of authentication, attribute, and authorization information between disparate security domains, making vendor-independent Web single sign-on and secure e-business transactions possible. Version 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information.

"Prior to SAML, there was no XML-based standard that enabled the exchange of security information between a security system and an application," said John Pescatore, analyst at Gartner, Inc. "SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it also specifies a Web services-based request/reply protocol for exchanging these statements."

"The number of digital identities in today's world is exploding and business partners need better ways to federate and manage those identities in order to control access to their resources in the face of growing regulatory and compliance requirements," noted Rob Philpott of RSA Security, co-chair of the OASIS Security Services Technical Committee. "SAML v2.0 is the convergence point for the major identity federation initiatives deployed in the industry today; that is, SAML v1.x, Liberty ID-FF, and the Internet2's Shibboleth effort. With the release of SAML v2.0, the industry now has a very robust, proven foundation upon which to build identity-based solutions that meet those requirements."

SAML leverages core Web services standards including XML, SOAP, Transport Layer Security (TLS), XML Signature (XMLSIG), and XML Encryption (XMLENC).

"SAML v2.0 builds on the success of SAML v1.1 by providing a full-featured foundation for identity federation on the Internet," explained Prateek Mishra of Principal Identity, co-chair of the OASIS Security Services Technical Committee. "Some of its features fill in important 'gaps' observed in practical deployments: for example, the attribute profiles and metadata specification simplify agreement between businesses participating in a federation. Other features such as encryption, pseudonyms and user consent enable confidentiality and privacy of information about users."

"SAML v2.0 has the benefit of real implementations in a variety of industries to help the market drive adoption," stated Patrick Gannon, president and CEO of OASIS. "Major technology vendors are already shipping identity management products and appliances built on SAML, and governments are incorporating it into their architectures. Many other key XML standards already have defined clear profiles for working with this flexible and extensible OASIS Standard for the federated model of identity management."

Over 27 member organizations globally participate in this ongoing work, including representatives of AOL, BEA Systems, Boeing, Booz Allen Hamilton, Computer Associates, Entrust, Hewlett-Packard, IBM, Neustar, Nokia, Novell, Oracle, RSA Security, SAP, and Sun Microsystems. Participation remains open to all, and suppliers, end-users, and systems integrators are invited to join OASIS to advance the continued development and adoption of SAML. OASIS hosts an open mail list for public comment and the saml-dev mailing list for exchanging information on implementing the standard.

Industry Support for SAML 2.0 OASIS Standard

"In a relatively short time, SAML has become one of the most widely accepted standards for exchanging authorization data in Federated Identity environments. SAML 2.0 reflects this broad support in the number of organizations and individuals who contributed new features to it. BEA looks forward to increasing our support for SAML in future product offerings," said Hal Lockhart, Principal Engineering Technologist, BEA Systems.

"SAML 2.0 will be the keystone that enables many other elements of XML trust infrastructure to interoperate. For example, the upcoming XRI 2.0 specifications from the OASIS XRI (Extensible Resource Identifier) Technical Committee uses SAML 2.0 assertions to provide trusted XRI resolution services. The OASIS XDI (XRI Data Interchange) Technical Committee also plans to foster trusted data interchange relationships using SAML 2.0," said Drummond Reed, CTO Cordance Corporation, co-chair, OASIS XRI and XDI Technical Committees.

"SAML is fast becoming the dominant Web services standard for federating 'identity as a service', and promises to break the traditional lock between Web SSO 'shim' and server. The 2.0 version of SAML and the very successful 12-vendor OASIS SAML Interop lab at the RSA Conference are further proof of SAML's maturity," said Eugene Kuznetsov, CTO and Chairman of DataPower.