Security Assertion Markup Language (SAML) has hurdled technology barriers to become a seamless Web single sign-on option for enterprises. Yet fewer than 10% of corporations are using it, according to Burton Group senior vice president Dan Blum, who authored a recent report on the security specification.
Blum cites business pressures and the spec's relative youth as reasons for the low number.
"Technology is not a roadblock anymore," Blum said. "The technology is complex and requires skills, but it has been demonstrated to work and work well."
Members of OASIS, the standards body responsible for crafting and updating SAML, have announced that version 2.0 would be released this summer. SAML 2.0 will unify the current SAML 1.1 with many specifications developed by the Liberty Alliance under a single framework. OASIS says this will further enhance an enterprise's ability to carry Web single sign-on and Web services user authentication, and authorization assertions through the firewall to customers, suppliers and business partners.
"There are business agreements and trust relationships that go on behind the technology front. Those are [difficult] issues to contend with," Blum said. "To get SAML deployed, you have [to] convince people in the organization that it's the right risk-management choice."
Blum said SAML is still in the early adopter phase and that there are currently no more than 200 production implementations. Those are found primarily in financial services, manufacturing, government, telecommunications, higher education, insurance and other industries where sensitive documents are transferred. Having federated identities in those instances cuts down on the cost of maintaining multiple user and password directories, Blum said.
"It can make applications feasible that were not feasible before," Blum said. "If you're using SAML, you can guarantee inter-domain sign-on for users, enjoy a cost savings by cutting into help desk costs, for example, and turn those savings into a competitive advantage."
Security, interoperability and management, Blum said, are a chief information officer's top three concerns about implementing Web services. SAML not only solves the prickly issue of federated identities but is complementary to other specifications, like Web Services-Security (WS-Security), which is the standard for signing and encrypting SOAP messages.
"SAML is the primary choice for Web single sign-on between dissimilar domains," Blum said. "The reason is that it's here, it's been tried, and it works where you have different products internally and between domains."
Blum warns, however, that in addition to training costs and the chore of convincing decision makers of SAML's benefits, enterprises must also contend with regulatory requirements. Auditing, for example, is difficult because of the spec's youth and because of potential inconsistencies among business partners, suppliers and customers.
"Add all this friction, and you could be losing ROI," Blum said. "At that point, you might want to put it on your road map and look at it again later."
Blum adds, however, that enterprises using or exposing applications as a Web service should consider SAML.
"If you have enough relationships, be they B2B, with customers, dealers, outsourcers or even internally, SAML should be considered," Blum said.
FEEDBACK: Are you convinced that SAML is ready for prime-time use in the enterprise?
Send your feedback to the SearchWebServices.com news team.