XML Developer TipRSA weighs in to help secure XML content
On April 29, 2002, leading security and technology rights firm RSA Associates--which holds key patents on numerous widely-used encryption tools and algorithms--announced it would make its relevant patents available to third-party vendors free of charge if they build XML solutions around the Security Assertion Markup Language or SAML. "What's SAML?" and "Why is this worthy of mention?" are the inevitable next questions that I will attempt to address in this XML tip.
The Security Assertion Markup Language (SAML) is an XML framework within which parties to online communications can securely exchange authorization and authentication data. In short, SAML defines mechanisms whereby XML-based digital signatures and XML-based encryption services may be used to help provide:
- proof of identity (authentication)
- delivery of important services like non-repudiation, privacy, and so forth.
- Definitions of standard means for encrypting and decrypting highly secure information, thereby enabling exchange of less mathematically intense private session keys that can be used to encrypt/decrypt communications for the duration of an online session.
In essence, some user's possession of a secret private key that only they should be able to use to decipher messages encrypted using their public key, makes it possible to provide fairly strong proofs of identity, while also enable increased levels of privacy and security.
Why this is worthy of mention is that numerous XML-based messaging services, such as SOAP, XML RPC, and so forth, are now available--and coming into increasing use--for all kinds of applications. In fact, it's not terribly outlandish or inaccurate to argue that the availability of so-called Web services depends on use of XML-based messaging services. Because of the RSA announcement, what SAML provides is a coherent, standardized framework that permits developers building Web services to use powerful and standard digital signature and encryption services, royalty-free, to secure the client-server communications that permit such Web services to operate without fear of snooping or theft of sensitive information, account and password data, and so forth. The win for RSA is that it will spur even more widespread adoption of their tools and technologies with the hope that developers might also adopt its for-a-fee tools and services as well.
The SAML specification states that "security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes." In simpler English, SAML lets disjoint, distributed information systems safely and securely share data about valid user accounts, including permissions data, access controls, group memberships, and other key ingredients involved in recognizing authorized users, and controlling access to resources they're authorized to use.
This provides a kind of level playing field that will make it much easier for developers to build, service providers to offer, and clients to use various message-based services over the Internet (which may or may not be Web-based). This is a good thing, and removes another potential hurdle to their deployment and use--namely, the fear that accessing or using such services may expose clients and service providers to unauthorized disclosure or use.
For more information about the RSA announcement regarding SAML, please consult Internet Week or the RSA press release. For more information about SAML, the Cover Pages summary and pointers is a great place to start exploring; you'll find them at xml.coverpages.org/saml.html.
Have questions, comments, or feedback about this or other XML-related topics? Please e-mail me care of firstname.lastname@example.org; I'm always glad to hear from my readers.
About the Author
Ed Tittel is a principal at LANWrights, Inc., a wholly owned subsidiary of LeapIt.com. LANWrights offers training, writing, and consulting services on Internet, networking, and Web topics (including XML and XHTML), plus various IT certifications (Microsoft, Sun/Java, and Prosoft/CIW).
For More Information
- Need help with the latest industry acronyms and terms? Visit our helpful Glossary.
- Visit our Best Web Links for the best editor-selected XML resources on the Web.
- Post your technical questions, or help your peers in our Enterprise Developer Forums.
- Ask the Experts! Our Web Services, SOAP, WSDL, XML, .NET, Java and EAI gurus answer your toughest questions.