Unified Communications

04:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Speaking SAML

Security Assertion Markup Language provides a standard way to exchange authentication and authorization information between different vendors' other applications.

SAML 1.1 is an XML framework developed by OASIS (Organization for the Advancement of Structured Information Standards). It's used for Web single sign-on in the Liberty Alliance specification 1.1 as well as for authentication services in the alliance's Web Services Security specification. (For more on the Liberty Alliance spec, see "Give Me Liberty?" and "Making ID Management Manageable".) Web services are emerging as a hot spot for SAML: Provisioning packages such as Novell's Nsure and Computer Associates' eTrust Admin soon will support SAML. Meanwhile, key software vendors, including CrossLogix, IBM's Tivoli Systems, Netegrity, Novell, Oblix, RSA Security and Sun Microsystems, offer support for SAML in their security applications. And Microsoft's new .Net Server operating system will come with SAML support, too (for more on Web Services Security, see "Dive Carefully".

Assert Yourself



Table of Elements

click to enlarge

SAML, which is platform-independent, consists of assertions, protocols, bindings and profiles. Assertions are statements that an identity authority makes about an end user--human or machine. An identity authority is a trusted source of authentication and authorization decisions, such as Active Directory. AD serves as an identity authority in many organizations because it typically contains security information for multiple applications. Assertions are a response to requests like "Is John Smith allowed access to the HR Web site?"

There are three types of assertions: authorization, authentication and attribute. All assertions include a set of common elements: the subject, conditions and authentication statement (see "The Table of Elements," left).

Each assertion also contains information about the type of request made. If a user requests authorization to a human resources application, for instance, the assertion says whether he was allowed or denied the request, and the scope of the his privileges. If he requests authentication to the network or an application, the assertion specifies the method of authentication and the date and time he was authenticated. This lets the application determine whether the authentication method the user went through is sufficient. Some applications, like e-mail and e-commerce, accept a password, while a health-care record application requires something stronger, such as a security token. The application can accept or reject the authentication assertion. SAML can use passwords, Kerberos, secure remote passwords, hardware tokens, public keys (X.509, SPKI, XKMS, SSL/TLS certificates) and XML digital signatures.

Previous
1 of 5
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed