Manage Learn to apply best practices and optimize your operations.

SAML remains open, securing XML security

In this tip, Ed Tittel discusses how Sun choosing not to enforce its patent on SAML helps further the whole open source environment growing up around XML security markup languages.

In a recent announcement, Sun Microsystems Inc. sought to reassure developers that it would never seek to assert ownership or patent rights on work the company had done in connection with the Security Assertion Markup Language, or SAML. As this is the focus of a set of specifications under development in an OASIS Security Services technical committee, this announcement comes as something of a relief to a developer community that had been holding its collective breath and hoping for an outcome that would prevent either legal exposure or potential liability for patent infringement rights to those who have already invested substantially in SAML-related tools and technologies.

Sun's waiver of rights is both unilateral and voluntary and means that implementers who've been building on this technology don't have to negotiate licenses or deal with related paperwork. In general, the move helps further the whole open source environment growing up around XML security markup languages. Other organizations have recently done likewise for SAML, including America Online, Fidelity Investments and RSA Security.

This isn't the only time that Sun has voluntarily relinquished its rights, either: in September 2005, Sun declared it would not seek to enforce US or international patents it held related to the Open Document Format (ODF) for Office Applications (aka OpenDocument). I can't help but look at this as a very positive form of "pay it forward" in that Sun's own company name hearkens back to the days of the Stanford University Network, wherefrom many of its founders and much important technology upon which the company was built emerged.

Returning to the original subject, Sun's SAML Non-Assertion Covenant opens the doors for developers to continue using SAML v2.0 and means that they will not have to face imposition of licensing terms, usage conditions or fees related to patents that the company holds related to SAML 2.0. Nor need developers do anything to take advantage of this waiver, except to refrain from seeking to enforce any other patents against other SAML developments. Sun's explanation is also revealing "Sun is doing this because SAML is a critically important technology, and we think it's important to provide as many assurances we can to developers implementing SAML technology—particularly open-source developers…" The full text of the Non-Assertion Covenenant is available on the Cover Pages.

SAML 2.0 was approved as an OASIS standard in March 2005 and has been incorporated in numerous security-related XML developments since that time. Version 2.0 adds support for pseudonyms and their management between providers, along with enhanced metadata, expanded data encryption, improved attribute profiles and more powerful session management capabilities. The SAML 2.0 Technical Overview provides more technical details and includes information about SAML architecture and profiles, as well as a more complete comparison of 2.0 and 1.1 versions.

Sun is to be commended for voluntarily withdrawing any and all claims it may have had to the intellectual property inherent in SAML 2.0 and for clearing the way for ongoing open source and proprietary technologies to incorporate this security markup language.

About the author

Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed at with comments, questions or suggested topics or tools for review.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.