OASIS Provides Fertile Ground for Web Standards

First Published: InsideID.com
Date Published: November 12 2004
Copyright © 2004 by Kevin Savetz

You can't talk about federated identity management without talking about SAML -- Security Assertion Markup Language. SAML is an XML-based framework for creating and exchanging security information between online partners, and is one of the core standards that make federated identity systems work.

SAML was born in November 2002, created by a standards body known as OASIS. The Organization for the Advancement of Structured Information Standards (OASIS) is a non-profit, international consortium that drives the development, convergence, and adoption of e-business standards.

Founded in 1993, OASIS was originally called SGML Open and promoted the use of SGML (Standard Generalized Markup Language). It has since expanded to not only promote, but create, many open standards that drive online business.

SAML quickly became a core protocol for securely sharing information between trusted parties. Today it is used on the Web primarily for single sign-on services -- that is, having one online identity that works with two or more cooperating sites.

"SAML is becoming extremely pervasive. There are already two- to three hundred large deployments of SAML involving many large partners," Rob Philpott, co-chair of the OASIS Security Services Technical Committee, said.

"In order to do any sign-on you have to have identities that are in some way linked between sites," Philpott said. By itself, SAML could not handle the process of linking identities, so another group, the Liberty Alliance, developed the Identity Federation Framework. Based on SAML, the framework adds features for linking user accounts, provides additional session management capabilities, and adds other features to enhance federated identity.

The additions proved popular but are not compatible with SAML itself. Rather than having one spec working atop another, Liberty Alliance handed the improvements back to OASIS, which has folded those additions into a new version of SAML. SAML 2.0 will bring the two systems under one umbrella to form a unified standard that supports single sign-on and expanded functionality related to federated identity management.

Such close collaboration between standards bodies may seem surprising. After all, some standards organizations are better known for petty politics than creating standards that are, well, standard. But the shared effort between OASIS and Liberty Alliance made sense: the two groups share common goals, and many technology companies are members of both groups. OASIS members include SAP, VeriSign, RSA Security, Hewlett-Packard, and more than 600 other organizations worldwide.

SAML 2.0 recently finished the technical review process, and will be submitted to members for approval in early 2005.

"People think of user accounts or username/password combinations as your identity," Philpott said. "We're getting away from that concept of having a login-able user account everywhere," he said. Instead of having an account at every site, you can reply on trust arrangements between those sites. "My identity at my 401K provider may not have a user account at all if they trust my login from my employer."

Beyond simply verifying identity, SAML 2.0 will allow providers to selectively share attributes about users. Although one participant may have a full-blown profile about you (including your address, phone number, social security number, and so on) privacy laws, contracts, and government regulations may limit the data it can share. So in addition to basic authentication, SAML's security service provides the ability to transmit selected user attributes.

OASIS does more than SAML. In fact, the group produces more Web standards than any other organization. It has created and approved more than a dozen standards, including Directory Services Markup Language and the XML Common Biometric Format. OASIS also runs the xml.org Web site, a portal for information about Extensible Markup Language.

Recently, the organization announced that its members had approved Universal Business Language (UBL) version 1.0 as a standard. UBL defines a common XML library of business documents (such as purchase orders and invoices) and data components from which an other documents can be constructed. "UBL provides the world with standard electronic versions of traditional business documents designed to integrate with established commercial and legal practices," Jon Bosak, chair of the OASIS UBL Technical Committee and organizer of the working group, said. "Using UBL, businesses of all sizes can enjoy the benefits of electronic commerce."

Articles by Kevin Savetz