Manage Learn to apply best practices and optimize your operations.

SAML 2.0: The Holy Grail of identity management, part 1

In part one of a two-part column, Preston Gralla explains the basics of Security Assertion Markup Language, and how it might be used in a typical real-world business scenario.

There are many roadblocks to the widespread use of Web services, but chief among them are security and authentication issues. Unless business partners can rely on authenticating each other, and unless businesses can rely on authenticating users, Web services will remain an interesting and useful technology, but not one that's embedded directly into everyday business.

A big step forward to resolving these issues was recently taken when OASIS approved the Security Assertion Markup Language (SAML) 2.0 security standard, and the Liberty Alliance announced that it was undertaking SAML 2.0 interoperability testing. Acceptance of the standard means that the Holy Grail of authentication -- so-called "single sign-on" -- is one step closer to becoming a reality. And interoperability testing means that companies will be able to buy software from different vendors, and know that they'll work together when they use SAML.

In this first part of a two-part column, I'll take a look at the basics of SAML, and how it might be used in a typical real-world business scenario. In the next column I'll look more closely at the implications of the use of the standard, and at why the standards-setting bodies believe that it's a great leap forward for Web services.

What is SAML?
The best place to start is a look at SAML itself. SAML is an XML-based standard for authentication and authorization designed to provide single sign-on so that people can be authenticated once and then be able to access multiple Web services. SAML allows each individual site to have its own mechanism for sign-on and authentication, but will allow sites to accept authenticated users from other sites. In fact, it creates a mechanism so that multiple sites can easily accept that authenticated user.

The recently ratified SAML 2.0 adds a variety of features that makes this universal single sign-on far more useful than it was previously. Roger Sullivan, Oracle vice president for business development of identity management and a board member of the Liberty Alliance, noted that version 1.x of SAML "created a standards-based mechanism for presenting or asserting credentials from one party to another." In essence, it defined a one-way conversation.

But SAML 2.0, he said, changes that, and made SAML "a bilateral exchange of credentials between parties. It creates a more complete framework for authorizing business transactions."

As a practical matter, this means that SAML "is the bridge that allows some of my identities to be reused at third-party sites," said Prateek Mishra of the firm Principal Identity and an OASIS Security Services Technical Committee co-chairman.

SAML in the real world
All this may sound very vague, so let's take a look at how SAML 2.0 will be used in a real-world situation. A corporation gives its employees access to a variety of services via Web services over a company portal. The portal allows employees to handle and review their 401k accounts, their company-provided health care and insurance, and their expense accounts, among other services.

In this scenario, third parties provide that 401k management, health care and insurance, and expense account management. The portal connects the company to each of those services using Web services.

Without SAML 2.0, that portal is only marginally more useful than having employees log onto different sites rather than a single site. Employees still have to enter separate registration information at each site and have to maintain separate log-ins and passwords at each site. And when personal information changes -- for example, a change of address or if someone gets married -- each employee has to make that change at every separate site.

SAML 2.0 changes all that. It allows there to be a primary repository of a person's identity (and, in fact, allows for multiple identities, if a person chooses to have them). With the person's information, that primary identity and information can be shared with other sites. And certain information will be shared among sites, depending on the person's preference, government regulations and company policies.

So, for example, when an employee first logs onto the 401k site from the portal, he will be asked whether he wants to use a single sign-on, and have his information automatically such as address, phone number, birth date, marital status and so on provided to the site. If he agrees, the person's identity is sent, along with the information the 401k site needs. And from then on, logging onto the portal itself will also log him into the 401k site.

He can do the same thing for other sites as well. That means he can sign onto the portal just once, and then never have to sign on to other sites. And when he changes his personal information at work, for example, by moving to a different address or changing his marital status, that information is automatically provided to all the other sites.

SAML does more than just this, however. It also provides a mechanism so that only the proper information is sent to each site -- for example, it won't allow private health information to be sent to the 401k site. SAML itself doesn't handle defining what information can be shared. Instead, it creates a mechanism that allows companies to apply those definitions, and have them put into effect.

All this is more than mere convenience for employees. Big cost savings are involved as well. And it may also mean a far more competitive marketplace for services, with all the benefits that it provides, such as lower costs and a higher level of service. With SAML 2.0, these third-party providers no longer have to spend enormous amounts of time, energy, cash and resources to identity management. (Just the help desk time it takes to reset passwords, for example, is enormous -- and that cost will no longer have to be borne by third parties.) They'll just need to make sure that when they build their Web services to integrate with partners, they properly use SAML 2.0. The identity management work will be taken care of for them. That means they can concentrate their time, money and resources on providing better and more services and trying to build a competitive advantage of some kind.

This also has implications for a wide variety of government regulations such as the Health Insurance Portability and Accountability Act, which governs the privacy of health records. SAML 2.0 will allow organizations to create the business logic that automatically determines what information can be shared -- and what can't -- making it easier and less expensive to comply.

All this sounds like a rather rosy scenario, and at some point we'll probably get there. Today, of course, we're nowhere near that, because the standard has only just been accepted, and interoperability tests haven't started.

How will we get from where we are today to there -- and what other kinds of benefits does SAML provide? That's what I'll look at in my next column.

About the Author

Preston Gralla is an expert on Web services and is the author of more than 20 books, including How the Internet Works. He can be reached at

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.