The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

Shared identities

Government Computer News discusses how a federated approach makes identity management portable: Overlapping identity management systems can be as much of a pain to users — and ultimately to systems administrators — as multiple passwords. Agencies that maintain multiple user repositories or whose processes cross more than one security domain should consider implementing federated identity management to reduce administrative overhead and costs while increasing security and simplifying the user’s experience. The primary objective of federated identity management is to give authorized users the ability to securely access applications or services both in their own organization and in other domains without the need for redundant user administration in all the domains involved.

The need is obvious; with the increased integration of Internet-related technologies into business processes, users often need to cross domains to access external systems. Likewise, external users often need to access internal systems.

Imagine federal, state and local first responders being able to access all levels of resources with a single sign-on. A federated identity management system can handle that type of responsibility without sacrificing security.

Cross-domain challenges

The first federation standard, OASIS’ SAML is an Extensible Markup Language-based mechanism that supports the exchange of authentication and authorization information between multiple security domains. It developed in response to the challenges of addressing cross-domain single sign-on (SSO) functions.

On the heels of the initial SAML specification, the Liberty Alliance developed the Liberty Federation Framework (ID-FF) that added new functionality, such as account linking and introductions.

At the same time, the people involved with Internet2 created an open-source standard called Shibboleth, based on SAML 1.1 and used primarily in higher education to support SSO and the exchange of user attributes.

Another specification — the WS-Federation Standard — emerged to address federated identity, authentication and authorization standards in service-oriented architectures (SOA). Contributors to this effort include BEA Systems, BMC Software, CA, IBM, Layer 7 Technologies, Microsoft, Novell and VeriSign.

More recently, OASIS issued the SAML 2.0 specification, which blends functionality from SAML Version 1.1 and the Liberty ID-FF and Shibboleth specifications.

The IBM Tivoli Federated Identity Manager interoperates with the SAML, Liberty, WS-Federation, WS-Secure and WS-Trust standards. It provides policy-based federation for organizations that are deploying SOAs or Web services. In addition, it provides a mechanism to integrate a simplified security approach between distributed applications and services and older mainframe applications.

The IBM solution is supported on AIX, HP-UX, Linux, Windows and z/OS.

Oracle’s Identity Federation solution supports the SAML specification along with the Liberty ID-FF and WS-Federation standards.

It can integrate with existing identity and access management solutions, which can reduce implementation times and costs. To address performance and disaster recovery, Oracle Identity Federation includes support for load balancing and failover. It is supported on Red Hat Linux and Windows.

The Java System Federation Manager from Sun Microsystems embraces not only the SAML and Liberty ID-FF specifications but also the Liberty ID-WSF (Web Services Framework). Like IBM, Sun takes a policy-based approach to federation, and its solution includes policy agents for a number of technologies, such as directory, Web and application servers. This solution runs on Solaris, Red Hat Linux and Windows.

Read the complete article by Maggie Biggs at GCN. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I