[October 15, 2002] [URL=http://xml.coverpages.org/NetegrityTM200210.html]"Netegrity Addresses Web Services Security With Release of TransactionMinder. Enables Companies to Use Web Services to Unlock and Integrate Mission Critical Applications For Internal Users and External Partners."[/URL] - [URL=http://www.netegrity.com/]Netegrity, Inc.[/URL], leading "provider of application infrastructure for access, identity and portal management, has announced the release of [URL=http://www.netegrity.com/products/index.cfm?leveltwo=txMinder]Netegrity TransactionMinder[/URL]. Companies are utilizing Web services to lower the cost and complexity of integrating applications and delivering services while improving customer and partner relations through real time access to business services. However, the lack of security for Web services has limited the scope of these Web services deployments. Netegrity TransactionMinder solves this problem by providing the first, enterprise scale solution for controlling access to Web services. With TransactionMinder, companies can now control who can access a Web service (authentication) and what can be done with the Web service (authorization)... Web services pose a new set of security challenges that traditional access control products were not designed to solve. Traditional access control solutions control users accessing applications on a Web site. With Web services, XML messages, not users, are now arriving at a Web site. These XML messages contain information that will be used to process a transaction at the Web site, such as a purchase order for buying steel or a request for a life insurance quote. In order to secure Web services, companies need a solution that can use the information inside these XML messages to determine (1) Who is requesting access to this Web Service (authentication) -- the solution must be able extract from the XML message information to determine who or what (application) is the originator of the message. Are they a trusted user or partner? (2) What can be done with this Web service (authorization) - the solution must determine if this person, application, or service is authorized to process this Web service transaction based on the information inside the XML message. (3) What reports or information should be recorded (auditing) - the solution must be able to provide detailed reports on the activity that has taken place with the Web service... TransactionMinder is based on industry standards. It is designed to work with standard Web services technologies such as SOAP messages and WSDL. The product also supports [URL=http://www.netegrity.com/products/index.cfm?leveltwo=SAML]SAML[/URL] and [URL=http://www.w3.org/Signature/]XML Digital Signatures[/URL] for authentication and supports industry standard Web service frameworks such as Microsoft .NET, Apache, and Netscape servers..."
[October 10, 2002] [URL=http://xml.coverpages.org/CommunicatorHub-SAML.html]"Communicator Inc Enables Identity Management Service with SAML Standard. Security Assertions Markup Language Capability Enables Faster Implementation of Single Sign-on."[/URL] - "[URL=http://www.communicatorinc.com/]Communicator Inc[/URL], a leading provider of secure electronic communication services to Fortune 1000 companies, announced today that it has enabled its digital identity management service, [URL=http://www.communicatorinc.com/HubID_Overview.html]Communicator Hub ID[/URL], to leverage the Security Assertions Markup Language (SAML) standard. This will allow companies that use SAML-enabled access and authorization products to join Hub ID's single sign-on service faster. Communicator Inc also announced that it has joined the Organization for Advancement of Structured Information Standards (OASIS), the body that oversees the SAML specifications... Communicator Inc pioneered a federated directory structure within Hub ID to enable single sign-on among various enterprises. This structure enables companies to maintain complete control over their customer, partner, supplier and employee lists even as authentication information is shared... SAML is an XML standard for exchanging security credentials between online business partners, regardless of the authorization product used by either partner. Communicator Hub ID will augment its proprietary Cooked URL (CURL) protocol for exchanging authentication credentials with SAML, thereby eliminating a key barrier to cross-enterprise single sign-on. The standard enables companies that use SAML-enabled access and authentication products to be up and running with Hub ID faster. 'SAML will make it easier and faster for our member companies to achieve single sign-on through Hub ID,' said Staunton Peck, president of SecuritiesHub, an online financial community that links securities dealers with institutional investors around the globe. 'When authentication information moves from one financial institution to another, there are numerous business rules and policies that must be implemented to securely exchange that information. While SAML makes that process easier, we still need a company like Communicator Inc to ensure that Jonathan Doe from one company is the same person as John A. Doe at another company'..."
[October 08, 2002] Entrust Announces New Secure Transaction Platform and Proposed Security Standards. Announcements from Entrust on 2002-10-07 outline a comprehensive vision and product delivery roadmap for web services security, to be offered through the Entrust Secure Transaction Platform. "Developed using open industry standards, these [URL=http://xml.coverpages.org/EntrustSecureTP.html]services initially include[/URL]: (1) the Entrust Identification Service, designed to enable validation of federated and non-federated identities across a spectrum of standards-based identification methods, including digital certificates and UserID/passwords. This capability enhances Web services application security by managing multiple identification methods; it also allows organizations to centrally specify which identities are accepted for Web services transactions; (2) The Entrust Entitlements Service, which implements the Security Assertion Markup Language (SAML) standard protocol that enables applications to validate that an identity has a right to interact with specific Web services; (3) The Entrust Verification Service, which supports accountability and integrity for more trusted transactions through centralized digital signature and time stamping capabilities, implemented using standards-compliant XML Digital Signatures." Entrust announced that it has [URL=http://xml.coverpages.org/EntrustSecStandards.html]submitted a set of related security standards proposals for Web services[/URL] to OASIS. "These standards proposals specify open, XML protocols for digital signature and timestamping services operating in a Web services context." [[URL=http://xml.coverpages.org/ni2002-10-08-d.html]Full context[/URL]]
[September 23, 2002] [URL=http://xml.coverpages.org/NetegritySiteMinderv55.html]"Netegrity Ships SiteMinder 5.5 with SAML, Passport, and Kerberos Support. Enables Enterprises to Extend their Security Infrastructure with Federated Identity Services."[/URL] - [URL=http://www.netegrity.com/]Netegrity, Inc.[/URL], leading provider of application infrastructure for access, identity and portal management, today announced that Netegrity SiteMinder 5.5 is now shipping. SiteMinder 5.5 enables federated identity and security with support for SAML, Microsoft .Net Passport, and Kerberos. Federated security enables companies to standardize the sharing of identity information across applications within the enterprise as well as to partner companies outside of the enterprise. Federated security is key to enabling businesses to more easily and cost effectively leverage their partnerships in order to provide customers with seamless and personalized access across a network of connected services... Netegrity's federated security model enables companies to leverage a single unified authentication, single sign-on, authorization, and auditing model to provide shared security services, regardless of whether the application is hosted locally within the organization or remotely by a partner. This enables users to log in just once, using a broad range of authentication services. Netegrity is providing support for SAML, Passport and Kerberos in SiteMinder 5.5 to provide customers with a standards based approach to allowing authentication and identity information to be shared among multiple organizations and servers. SiteMinder 5.5 provides support for: (1) SAML (Security Assertion Markup Language): SiteMinder 5.5 enables a SiteMinder identity to be mapped to a SAML based identity. SiteMinder creates a SAML assertion for a user and makes it available to a partner site. Now, companies can securely exchange information about authenticated users without having to change their existing security infrastructures, reducing costs, creating more efficiencies, and providing a better user experience. (2) Microsoft .Net Passport: SiteMinder integration with Microsoft .NET Passport enables users to log-in just one time using their .NET Passport user name and password, and access all .NET Passport enabled Web sites as well as enterprise applications protected by SiteMinder and configured to trust Passport authentication. In addition, for more sensitive applications, companies can implement a policy that challenges users for additional credentials beyond their Passport identities. (3) Kerberos: With support for Kerberos, users are able to log into their Microsoft desktop using Windows credentials and are then provided with single sign-on to the SiteMinder protected environment, without having to sign on again. Now, an employee can log onto their desktop in the morning and gain access to the company's SiteMinder protected portal, without having to log on multiple times..."
[August 26, 2002] [URL=http://www.computerworld.com/developmenttopics/development/webdev/story/0,10801,73712,00.html]"SAML Secures Web Services."[/URL] By Linda Rosencrance. In [URL=http://www.computerworld.com/]ComputerWorld[/URL] August 26, 2002. ['The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.'] 'If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners. OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards. Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called 'assertions,' between business partners over the Internet. OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification. SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example. SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges. SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection. The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures..."
[August 07, 2002] [URL=http://home.earthlink.net/~fjhirsch/xml/xmlsec/starting-xml-security.html]"Getting Started With XML Security."[/URL] By [URL=mailto:hirsch@fjhirsch.com]Frederick Hirsch[/URL]. July 31, 2002. With 32 references. From a collection of [URL=http://home.earthlink.net/~fjhirsch/Papers/index.html]referenced papers.[/URL] "Meeting security requirements for privacy, confidentiality and integrity is essential in order to move business online. With the growing acceptance of XML technologies for documents and protocols, it is logical that security should be integrated with XML solutions. The XML Security standards define XML vocabularies and processing rules in order to meet security requirements. These standards use legacy cryptographic and security technologies, as well as emerging XML technologies, to provide a flexible, extensible and practical solution toward meeting security requirements. The XML Security standards include XML Digital Signature for integrity and signing solutions, XML Encryption for confidentiality, XML Key Management (XKMS) for public key registration, location and validation, Security Assertion Markup Language (SAML) for conveying authentication, authorization and attribute assertions, XML Access Control Markup Language (XACML) for defining access control rules, and Platform for Privacy Preferences (P3P) for defining privacy policies and preferences. Major use cases include securing Web Services (WS-Security) and Digital Rights Management (eXtensible Rights Markup Language 2.0 - XrML)... [Conclusion:] The XML Security standards define XML languages and processing rules for meeting common security requirements. For the most part, these standards incorporate the use of the other XML Security standards, especially the core XML Digital Signature and XML Encryption standards. Another example is the sharing of policy statements by SAML and XACML. This set of interlocking standards has emerged quickly, and, since it is based on a foundation of accepted practices and technologies, should mature quickly. This article has presented a brief introduction to the set of standards and how they work together. XML Security standards will be essential to moving business online as XML technologies are adopted for Web Services, Digital Rights Management and other emerging applications. Understanding of how XML may meet authentication, authorization, confidentiality, integrity, signature and privacy requirements will be essential..." (1) [URL=http://xml.coverpages.org/techSociety.html#security]"Security, Privacy, and Personalization"[/URL] and (2) [URL=http://xml.coverpages.org/drm.html]"XML and Digital Rights Management (DRM)."[/URL] [[URL=http://xml.coverpages.org/HirschXMLSecurity20020807.html]cache 2002-08-07[/URL]]
[July 19, 2002] [URL=http://xml.coverpages.org/Mishra-SAMLDemo04.pdf]"Catalyst 2002 SAML InterOp."[/URL] By Prateek Mishra ([URL=http://www.netegrity.com/]Netegrity[/URL]). July 15, 2002. Document used as part of a press-briefing at Catalyst2002, San Francisco. It provides a (very)-short overview of SAML and the interOp event. Provides a SAML Introduction, Report on SAML Status, SAML InterOp Details, Relationship of SAML to other efforts. SAML (Security Assertion Markup Language) is a framework for exchange of security-related information e.g., assertions. These assertions about authentication and authorization are expressed as XML documents. SAML solves two problems: (1) Identity Federation: Provides technology to allow a business to securely interact with users originating from its vendors, suppliers, customers etc. (2) Fine Grained Authorization: Users may authenticate at one site and be authorized by another. A SAML 'profile' describes how SAML should be used to solve some business problem, e.g., Web browser profiles for Single-Sign On (part of SAML 1.0) or WS-Security profile for securing web services (currently under development by the SSTC). SAML is NOT A new form of authentication, an alternative to WS-Security, limited to legacy applications, limited to web browser applications, limited to web services security..." Details: see [URL=http://xml.coverpages.org/ni2002-07-15-a.html]"Burton Group's Catalyst Conference Features SAML Interoperability Event."[/URL]
[July 17, 2002] [URL=http://xml.coverpages.org/HodgesSSTC-SAMLandLiberty.html]SAML and Liberty.[/URL] Posting by [URL=mailto:Jeff.Hodges@sun.com]Jeff Hodges[/URL] (Sun). 2002-07-17.
[July 15, 2002] Burton Group's Catalyst Conference Features SAML Interoperability Event. The first day of a San Francisco Catalyst Conference organized by the Burton Group is focused upon 'Building Secure Relationships Through Directory and Identity Management'. A SAML Interoperability Event was also held as part of the conference. According to the announcement, the first public demonstration of the OASIS Security Assertion Markup Language (SAML) "was held Monday at the Catalyst Conference in San Francisco. Twelve vendors, including IBM, Novell, Oblix, Sun Microsystems Inc., Baltimore Technologies, CrossLogix, Entegrity Solutions, ePeople, Overxeer, Netegrity, RSA Security, and Sigaba participated in the event, which demonstrated interoperability of SAML 1.0-conformant security software products. SAML allows authentication and authorization information to be exchanged among disparate Web access management and security products. The OASIS specification addresses the need for secure single sign-on among diverse Web access management environments implemented across various organizations, applications, Web sites and portals. Defining standardized exchanges of identity and access management information, SAML leverages such Web services standards as XML and SOAP." [[URL=http://xml.coverpages.org/ni2002-07-15-a.html]Full context[/URL]]
[July 17, 2002] [URL=http://www.infoworld.com/articles/hn/xml/02/07/17/020717hnmicrosoftsaml.xml]"Microsoft Warms to SAML."[/URL] By [URL=mailto:cathleen_moore@infoworld.com]Cathleen Moore[/URL]. In [URL=http://www.infoworld.com/]InfoWorld[/URL] (July 17, 2002). "Microsoft revealed plans on Tuesday [2002-07-16] to support an emerging security standard that also forms the technology underpinnings for rival Liberty Alliance's federated identity management specification. In a talk here at the Burton Group Catalyst Conference 2002, Praerit Garg, Microsoft group program manager, detailed the company's vision for federated security, which will in the future include room for SAML (Security Assertion Markup Language). Meanwhile, Liberty Alliance on Monday announced Version 1.0 of its federated identity management specification, which is based on SAML. SAML allows authentication and authorization information to be exchanged among multiple Web access management and security products, according to OASIS (Organization for the Advancement of Structured Information Standards) officials. The specification also addresses secure single sign on, and leverages Web services standards such as XML and SOAP (Simple Object Access Protocol). In addition to its support for X509 certificates and Kerberos, Microsoft will support SAML in the WS-Security paradigm, Garg said. WS-Security is an OASIS security specification backed by Microsoft, IBM, and Verisign. 'WS-Security is a very simple model that lets you carry multiple assertions, SAML and Kerberos,' Garg said. 'It reduces friction.' SAML is just another security token format, Garg said, and WS-Security provides the common envelope to carry multiple tokens... In response to questions from the audience about what took the company so long to embrace SAML, Garg said that last year Microsoft did not really understand what SAML was about. Also, he added that the company wanted to protect existing investments in X509 and Kerberos. Garg added that Microsoft should have participated more actively in the standards development process. With a common SAML-based bridge erected, the gap between Microsoft's identity efforts and the Liberty Alliance may be shrinking. In fact, Microsoft gave its strongest indication yet that it may join forces with the Liberty Alliance..."
[July 16, 2002] Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization. The Liberty Alliance Project has released its version 1.0 open federated network identity specifications, and several vendors at the Burton Group Catalyst Conference in San Francisco have announced plans today to deliver Liberty-enabled products and services. The Liberty Alliance Project is a an alliance (60+ members) formed to deliver and support a federated network identity solution for the Internet that enables single sign-on for consumers as well as business users in an open, federated way. The version 1.0 specifications focus on interoperability between systems to enable opt-in account linking and simplified sign-on functionality. This allows users to decide whether to link accounts with various identity providers and makes it easier for both consumers and businesses to take advantage of the growing Web services space." Specific functionality outlined in version 1.0 includes: (1) Opt-in account linking; (2) Simplified sign-on for linked accounts; (3) Authentication context; (4) Global log-out; (5) Liberty Alliance client feature. The six-part specification includes: Architecture Overview, Architecture Implementation Guidelines, Authentication Context Specification, Bindings and Profiles Specification, Protocols and Schemas Specification, and a Technical Glossary. "The Liberty Alliance specifications leverage industry-standard security and data transfer protocols, including the Security Assertion Markup Language (SAML), developed OASIS; SAML is quickly becoming the de-facto means for exchanging user credentials between trusted environments." [[URL=http://xml.coverpages.org/ni2002-07-16-a.html]Full context[/URL]]
[July 15, 2002] [URL=http://www.nwfusion.com/news/2002/0715saml.html]"Accent on Access Control. Conference to highlight SAML, an emerging standard for identity management."[/URL] By [URL=http://www.nwfusion.com/Home/jfontana.html]John Fontana[/URL]. In [URL=http://www.nwfusion.com/]Network World[/URL] (July 15, 2002). "Industry heavyweights this week will throw their support behind a developing standard that promises to help network executives build centrally managed, easily sharable user identity systems. At the annual [URL=http://xml.coverpages.org/conf.html#BurtonCatalystConference2002]Burton Group Catalyst Conference[/URL], a parade of vendors, including RSA Security, Netegrity, Oblix and Novell, will announce support for [URL=http://www.oasis-open.org/committees/security/]Security Assertion Markup Language (SAML)[/URL], an emerging XML-based standard for exchanging authentication and authorization information. Also at the conference, those vendors will join Baltimore Technologies, Crosslogix, Sun, IBM's Tivoli Systems and others in a SAML interoperability demonstration. The biggest shot in the arm, however, will come from the Liberty Alliance, a group of vendors and corporate users who have spent the past six months creating a single sign-on specification. The group will release its work, and announce it is supporting SAML and adding nearly 20 new members... The wave of support for SAML likely will stamp it as a de facto standard, although it won't get official approval from the Organization for the Advancement of Structured Information Standards (OASIS) until fall at the earliest. The only snag could be that Microsoft has yet to commit to SAML, instead focusing on Kerberos as a way to pass authentication information. But Microsoft's commitment to WS-Security, a set of proposed standards it created with IBM and VeriSign and now under review by OASIS, could eventually bring the company into the fold. SAML is but one important step in creating user authentication and authorization information that is portable across corporate networks so a user authenticated on one company's network can be recognized on another and granted or denied authorization to access resources based on that authentication. This sharing of user identity is being referred to as federated identity management and is emerging as a key technology for distributed e-commerce and Web services... SAML does not specify any policy for using identity information. The Liberty Alliance specification will build on top of SAML, adding some policy protocols. Also, SAML does not incorporate a way to establish trust between business partners exchanging identity information. And SAML, which has strong authentication services, will need the help of another emerging XML-based protocol called XML Access Control Markup Language to solve the more complex issue of authorization. A third protocol - the Services Provisioning Markup Language - also will have to be incorporated. There are other, competing efforts. Microsoft is working on integrating its Passport service with Kerberos, as opposed to SAML, to create a single sign-on credential similar to Liberty's work. Microsoft also is developing TrustBridge, another product to unify sign-on across Microsoft environments, and focusing on Extensible Rights Markup Language, an authorization protocol similar to XACML..."
[July 01, 2002] [URL=http://www.nwfusion.com/news/tech/2002/0701tech.html]"SAML Promises Web Services Security."[/URL] By James Kobielus. In [URL=http://www.nwfusion.com/]Network World[/URL] (July 01, 2002). "Security Assertion Markup Language 1.0 is a new proposed standard for interoperability among Web services security products. As corporations increasingly deploy access management solutions and other security products in Web services environments, SAML 1.0 has the potential to be a critical interoperability standard for securing these online environments from end to end, both within organizations and from business to business. SAML 1.0, nearing ratification by the Organization for the Advancement of Structured Information Standards, works with XML and Simple Object Access Protocol (SOAP). SAML 1.0 defines SOAP-based interactions among security and policy domains, supporting Web single sign-on (SSO), authentication and authorization. The standard defines request and response 'assertion' messages that security domains exchange to vouch for authentication decisions, authorization decisions, and attributes that pertain to named users and resources. SAML 1.0 also defines functional entities such as authentication authorities, attribute authorities, policy decision points and policy enforcement points. In a SAML-enabled Web SSO scenario, users log on to their home or 'source' domains through authentication techniques such as ID/password. The source domain communicates this authentication decision, plus other information that provides a security context for that decision, to one or more affiliated or federated destination domains through messages that contain SAML 'authentication assertions' and 'attribute assertions.' See also [URL=http://www.nwfusion.com/news/2002/132320_05-06-2002.html]"SAML Gains Steam."[/URL]
[June 26, 2002] [URL=http://www.infosecuritymag.com/2002/jun/news.shtml]"The Web's Future Passkey."[/URL] By Lawrence M. Walsh. In [URL=http://www.infosecuritymag.com/]Information Security Magazine[/URL] (June 2002). ['SAML supporters say the standard could provide ubiquitous, transparent Web authorization.'] "Baltimore Technologies recently designed its security management suite, SelectAccess 5.0, as an XML-based application to leverage its access control functions for the emerging world of Web services. A key element of SelectAccess is the Security Assertion Markup Language (SAML), a relatively new standard that's rapidly becoming the de facto means for exchanging user credentials between trusted environments... Developed by the Organization for the Advancement of Structured Information Standards, SAML could be the success story for the next generation of online computing. As Web services and trusted online relationships continue to evolve, many see SAML as the mechanism that will bring single sign-on (SSO) to B2B and B2C environments... SAML's infrastructure is rather simple. To make it work, a Web-based network must have a SAML server deployed on its perimeter. The server sits alongside the Web server and interacts with its back-end access control database. Once a user authenticates to the site, the SAML server will transparently transmit his credentials to every partner site. The SAML server on the other end will automatically accept him as being a trusted user... Given the extent of a partner community, users can transparently pass from site to site without ever touching an access control or authorization mechanism. This transparency, developers believe, will facilitate greater use of online services and information sharing, since users won't have to remember and enter a myriad of authentication information... Granting trust between SAML servers isn't done blindly. SAML doesn't grant users access, say how they should be authenticated or enable automated provisioning for new services. Essentially, it's nothing more than an exchange of information between trusted, known parties. That's where things get a little tricky. While an enabled SAML system will create transparent exchanges of authorization information, the establishment of those trusted relationships must still be done out of band... SAML typically uses digital certificates to authenticate servers to one another--preventing a rogue SAML server from spoofing access rights--and encrypts all data passed between networks. However, the standard doesn't authenticate users; rather, it relies on existing access control and authentication solutions. It also does nothing to protect user identification information stored locally. All of this means partner sites must develop mutual requirements for user authentication and data protection... In addition to Baltimore, other security vendors are incorporating SAML in their products. Waveset and Netegrity are each integrating SAML in their access control products, and Netegrity has already released a toolkit for making existing SiteMinder applications SAML-compliant..."
[June 04, 2002] [URL=http://xml.coverpages.org/BurtonSAML-ShowcaseAnnounce.html]"Burton Group's Catalyst Conference to Showcase First Demonstration of SAML 1.0 Industry Standard. OASIS-Sponsored Demo Features Standards-Based Interoperability. Burton Schedules SAML 1.0 TeleBriefing for June 12, 2002."[/URL] - "Burton Group, a technology-industry pioneer of network research and consulting, will showcase the first public demonstration of standards-based interoperability among SAML 1.0-conformant security software products on July 15 at its annual Catalyst Conference. Sponsored by the Organization for the Advancement of Structured Information Standards (OASIS), the industry standards group that developed the proposed Security Assertion Markup Language (SAML) standard for Web services security, the demonstration will feature products from several network security software vendors. SAML 1.0 is a proposed OASIS standard for exchanging authentication and authorization information among disparate Web access management and security products. SAML 1.0, which will soon come up for a vote by the full OASIS membership, addresses the need for secure single sign-on (SSO) across diverse Web access management environments implemented across various organizations, applications, Web sites and portals. The proposed standard defines standardized exchanges of identity and access management (IAM) information, leveraging such Web services standards as XML and SOAP... The SAML interoperability demonstration will involve several current and future commercial software solutions that support Web SSO, access management and other network security services. As of May 15, 2002, vendors who have indicated their intention to participate in the event are Baltimore Technologies, Crosslogix, Entegrity Solutions, ePeople, Novell, OverXeer, Netegrity, Oblix, RSA Security, Sigaba, Sun Microsystems and Tivoli Systems. The SAML 1.0 demonstration will feature cross-enterprise SSO across several vendors' Web access management products, which will support consistent vendor implementations of the SAML 1.0 Web Browser profile. In particular, the event will demonstrate the following scenarios: (1) IAM interoperability: Businesses using different vendors' Web access management products establish trust relationships for the purpose of sharing authentication, attribute and authorization decision information; (2) Cross-enterprise Web single sign-on: Browsers/users authenticate at 'portal' sites and then are able to access Web resources managed under other 'content' sites..."
[June 04, 2002] [URL=http://xml.coverpages.org/SAML-Oblix-NetPoint-FEDERATEDid-Layer.html]"Oblix Announces Availability of the NetPoint FEDERATEDid Layer for Enhanced Identity Management Within the Enterprise. Oblix Delivers Industry's Most Comprehensive Set of Federated Identification Services Including Full Support of Security Assertion Markup Language (SAML)."[/URL] - "[URL=http://www.oblix.com/]Oblix[/URL], a leading developer of identity-based security solutions, today announced the immediate availability of the NetPoint FEDERATEDid Layer -- an integration layer within Oblix NetPoint that allows an enterprise to identify users from multiple authentication sources while maintaining tight control over access to Web-based applications and resources. The NetPoint FEDERATEDid layer enables enterprise customers to accept user identifications from a third-party such as Microsoft .NET Passport and rely on Oblix NetPoint to seamlessly provide authorization and identity management actions. The NetPoint FEDERATEDid Layer enhances an enterprise's identity management capabilities and increases the user experience, as users authenticated by a third-party will not have to log-in again when accessing protected applications... Oblix reiterates its support for SAML and other emerging industry standards and will be one of the first vendors to deliver a 100% SAML-compliant product. The company is an active member of the OASIS Security Services Technical Committee (SSTC) working on the ratification of SAML 1.0, and the company plans to participate in a SAML interoperability demonstration at Burton Catalyst in July. Ratification of the SAML 1.0 specification is expected by the end of this month. The NetPoint FEDERATEDid Layer can be used in cooperation with SAML and does not mandate customers use SAML. Instead, the NetPoint FEDERATEDid Layer gives customers the choice in deciding how they will implement SAML or use other options for interoperable authentication such as the Liberty Alliance or .NET Passport..."
[May 07, 2002] [URL=http://www.nwfusion.com/news/2002/132320_05-06-2002.html]"SAML Gains Steam."[/URL] By [URL=mailto:jfontana@nww.com]John Fontana[/URL]. In [URL=http://www.nwfusion.com/]Network World [/URL](May 06, 2002). "An XML protocol that appears on its way to becoming a key building block for standards-based security picked up momentum last week as vendors introduced products and vowed to provide free access to their patents to advance the cause. The efforts are in support of the [URL=http://www.oasis-open.org/committees/security/]Security Assertions Markup Language (SAML)[/URL], a framework for exchanging authentication and authorization credentials over the Web, which promises to give IT executives a way to tie together disparate security systems internally and with business partners. Last week, RSA Security announced that it would offer [URL=http://xml.coverpages.org/patents.html#RSA-SAML]royalty-free use of two patents[/URL] it owns that are similar to how SAML functions, therefore quashing concerns that the patents may hamper the acceptance of SAML. Also, [URL=http://xml.coverpages.org/saml.html#quadrasis20020429]Quadrasis[/URL], a business unit of Hitachi, introduced a developer tool for building SAML support into connectors that work with its Security Unifier. The product is similar to enterprise application integration software in that it provides a routing and transformation hub and a set of connectors that allow disparate security systems such as authentication systems, single sign-on software and encryption products to work together... SAML is gaining steam as it moves through the standards track at the Organization for the Advancement of Structured Information Standards. Ratification is expected in June. Experts say SAML will make it easier for users to cross security boundaries, especially those between companies that have established trust relationships. Combined with another emerging standard for digital signatures called XML Signatures, companies can exchange signed SAML assertions that confirm a particular user is authenticated and authorized to access certain network services. RSA, which is building SAML into its Web Access Management product called ClearTrust, is offering royalty-free access to U.S. patents that cover one type of SAML assertion called Browser/Post Profile, which basically delivers a digitally signed SAML assertion through an HTML form stored on a browser. Most vendors today, however, are implementing a simpler type of SAML assertion called Browser/Artifact Profile..."
[April 19, 2002] [URL=http://xml.coverpages.org/SAML-cs-sstc-core-00.pdf]"Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)."[/URL] Edited by [URL=mailto:pbaker@verisign.com]Phillip Hallam-Baker[/URL] (VeriSign) and [URL=mailto:eve.maler@sun.com]Eve Maler[/URL] (Sun Microsystems). For the OASIS [URL=http://www.oasis-open.org/committees/security/]XML-Based Security Services Technical Committee (SSTC)[/URL] Maturity level: Committee Specification. Publication date: 19-April-2002. One of the 'final' SAML 1.0 [URL=http://www.oasis-open.org/committees/security/#documents]Committee Specification "00" documents[/URL]. Posted by Eve Maler. "This specification defines the syntax and semantics for XML-encoded SAML assertions, protocol requests, and protocol responses. These constructs are typically embedded in other structures for transport, such as HTTP form POSTs and XML-encoded SOAP messages. The SAML specification for bindings and profiles provides frameworks for this embedding and transport. Files containing just the SAML assertion schema and protocol schema are available... The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes. Note that assertions containing authentication statements merely describe acts of authentication that happened previously. Assertions are issued by SAML authorities, namely, authentication authorities, attribute authorities, and policy decision points. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding, to SOAP over HTTP. SAML authorities can use various sources of information, such as external policy stores and assertions that were received as input in requests, in creating their responses. Thus, while clients always consume assertions, SAML authorities can be both producers and consumers of assertions..." See the official [URL=http://www.oasis-open.org/committees/security/docs/cs-sstc-core-00.doc]Word .DOC source[/URL].
[April 30, 2002] [URL=http://www.theregus.com/content/55/24814.html]"RSA Removes Patent Block to SAML Uptake."[/URL] By [ComputerWire Staff]. In [URL=http://www.theregus.com/]The Register[/URL] (April 30, 2002). "RSA Security Inc yesterday said it will grant royalty-free licenses to any developer that wants to use the Securities Assertions Markup Language (SAML) in their products. The company revealed last month that it has two US patents it believes cover aspects of the XML access control standard. The only caveat RSA is imposing on the royalties is that any other companies which claim to have intellectual property covering parts of SAML must also grant RSA a royalty-free license to use their technology. No other company has yet to disclose an IP interest in any other parts of SAML, but should one come forward, RSA's terms leave it open for them to levy royalties against firms other than RSA. Also, any developer that makes an SAML product using tools from companies that have licensed from RSA, must also license from RSA under the same royalty-free terms, so RSA can keep track of where its IP is being used. The patents in question are 6,085,320 and 6,189,098, both entitled "Client/Server Protocol for Proving Authenticity". RSA disclosed the patents after a direct request from the SAML working group, part of the OASIS XML interoperability group Eve Maler, one of Sun Microsystems Inc's engineers in the working group, said the RSA patents "appear to be essential to the implementation of the SAML specification." She added that RSA's decision to go royalty-free is a good one for the encouraging uptake of standards in the emerging digital identity space..." See [URL=http://xml.coverpages.org/ni2002-04-20-a.html]"Committee Specification Level Documents for the Security Assertion Markup Language (SAML)."[/URL]
[April 29, 2002] [URL=http://www.eweek.com/article/0,3658,s=712%26a=26123,00.asp]"Web Services Security Tightens."[/URL] By Darryl K. Taft and Dennis Fisher. In [URL=http://www.eweek.com/]eWEEK[/URL] (April 29, 2002). "Since security remains among the key challenges that must be met before Web services can become pervasive, some companies are moving to answer the call. Baltimore Technologies plc. and Hitachi Computer Products Inc.'s [URL=http://www.quadrasis.com/]Quadrasis[/URL] business unit this week will each deliver tools to help meet Web services' security challenge. At the heart of these technologies is SAML ([URL=http://www.oasis-open.org/committees/security/]Security Assertions Markup Language[/URL]), an XML-based standard for exchanging security credentials among online business partners. Nearing ratification by OASIS, or the Organization for the Advancement of Structured Information Standards, SAML enables users to sign on to one site and have their security credentials and information transparently transferred across affiliated sites... Quadrasis this week will announce its Enterprise Application Security Integration Developer Tool. It enables users to link security solutions via SAML wrappers and combine them to form a front-line defense for Web services security. The EASI tool is part of the company's [URL=http://www.quadrasis.com/News_Events/pr_easi-1_0218.asp]EASI Security Unifier[/URL], which is based on SAML. Bret Hartman, chief technology officer of Quadrasis in Waltham, Mass., said the EASI Developer Tool is like 'enterprise application integration for security'..."
[April 25, 2002] [URL=http://www.infoworld.com/articles/hn/xml/02/04/24/020424hnsaml.xml]"Baltimore to Release SelectAccess 5.0 with SAML."[/URL] By Sam Costello. In [URL=http://www.infoworld.com/]InfoWorld[/URL] (April 24, 2002). "Baltimore Technologies will announce version 5.0 of its SelectAccess Web access management product on Monday, a release that includes easier configuration, better reporting and support for the SAML (Security Assertions Markup Language) standard. The addition of SAML to the product is perhaps the most important new feature in version 5.0. SAML is an emerging Web standard that should allow different Web access management products to interoperate and exchange security, authentication and permission information about users... Version 5.0 of SelectAccess simplifies the process of adding new users and components to a system, allows user information to be drawn from different directories simultaneously, offers deeper reporting and alerting options and adds support for the authentication of wireless users, she said. The new version of the software allows administrators to more easily and quickly deploy new SelectAccess components by storing configuration details in an LDAP (Lightweight Directory Access Protocol) directory, she said. That configuration data can then be automatically applied to new components -- such as servers and directories -- as they are added to a network, speeding installation of the new component. The new feature also cuts down on the time needed to upgrade configurations, as the new configuration can be created once and then published to all affected components, she said. SelectAccess 5.0 also allows information about users and policies to be extracted from different LDAP directories at the same time, according to Fai. This feature is needed as companies may use separate directories for different groups of users, she said. The new software also offers administrators more detailed and searchable reports, allowing them to be viewed by date, server, user, administrator and other criteria, she said. Administrators can also be notified of events in SelectAccess in more ways in version 5.0, with SNMP (Simple Network Management Protocol) and pager forwarding options, Fai said. Alerts can also be sent to trigger other events, rather than immediately alerting an administrator... Users of WAP (Wireless Application Protocol) devices are also supported in SelectAccess 5.0, she said. Another new protocol supported by the software is SAML, an emerging standard for Web access management products that will allow authentication and access control data to be handed off among Web access management products, she said. SAML support will help SelectAccess users extend Web single-sign-on capabilities beyond their corporate boundaries to partners who may not be using the same Web access management software... Despite the impending ratification, other details still need to be worked out among Web access management vendors. Those include how the data about access control will be described, he said. As as result, initial SAML deployments are likely to offer only a single sign-on to a variety of Web resources, rather than the full capability of the standard..." See also the announcement, [URL=http://www.baltimore.com/news/press/2002/pr20020423.asp]"Baltimore Introduces the First Commercially Available Implementation of SAML-based Services for Online Partnerships with SelectAccess 5.0. SelectAccess 5.0 Eases Administration, Extends Usability, and Leverages Existing IT Investment."[/URL]
[December 13, 2001] [URL=http://xml.coverpages.org/Maler-saml-basics.ppt]"SAML Basics. A Technical Introduction to the Security Assertion Markup Language."[/URL] By [URL=mailto:eve.maler@sun.com]Eve Maler[/URL] (XML Standards Architect, XML Technology Center, Sun Microsystems, Inc.). Presentation delivered at the Java in Administration Special Interest Group (JA-SIG) Conference, December 3, 2001. 51 slides. The session was designed to "provide a technical overview of SAML, the XML-based Security Assertion Markup Language being standardized at OASIS. It discusses how SAML enables Single Sign-On and other security scenarios, and provides details about the authentication, attribute, and authorization information that SAML can convey. The presentation also covers the protocol by which security information can be requested from SAML Authorities and the practical realities of how this information can be transported securely across domains... With XML, you often see standards that are simply wire protocols; no API is mandated, and in some cases no binding to some transport mechanism (such as HTTP or SMTP or whatever) is provided. We felt that the latter is definitely needed so that proprietary mechanisms don't creep in. What's needed is (1) A standard XML message format [It's just data traveling on any wire; No particular API mandated; Lots of XML tools available]; (2) A standard message exchange protocol [Need clarity in orchestrating how you ask for and get the information you need]; (3) Rules for how the messages ride 'on' and 'in' transport protocols, for better interoperability. SAML is an XML-based framework for exchanging security information: (1) XML-encoded security 'assertions'; (2) XML-encoded request/response protocol; (3) Rules on using assertions with standard transport and messaging frameworks..."
[返回] 中文XML论坛 - 专业的XML技术讨论区 →
XML.ORG.CN讨论区 - 高级XML应用 → 『 XML安全 』 → [推荐] SAML介绍 及 资料汇总
(订阅本版)
2005/12/6 10:10:00
顶端 
[推荐] SAML介绍 及 资料汇总(61003字) - admin,2005年12月6日
新浪微博
