Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."

Download it now to read this article plus other related content.

Efficiency Through Federation
Providers of enterprise identity management applications are rapidly supporting the use of SAML assertions as a means of passing identity information from a trusted source, like a company's directory service, to applications of all types. SAML could help application developers make authentication more transparent to users. In addition, the ability to pass attribute assertions to applications could foster enhanced role-based access controls while reducing role management complexity.

What can't be automated are the trusted relationships between domains. These relationships must be established out of band, either party to party or with a trust authority. It's relatively trivial to say, "Trust access assertions from ABC Corp.'s domain," but it's a different matter to first engage in that trust and provide levels of controls to maintain the integrity and security of your domain. Enterprises looking to federate should examine their partners' security programs to ensure they don't invite a compromise through a federated portal.

Likewise, SAML assertions are subject to the same fraud and misuse risks as conventional authentication credentials. Just as a fake driver's license makes it easier to get a counterfeit credit card, so too does a poor initial identification process make it easy to use the SAML standard to create fraudulent federated identities.

Nevertheless, SAML's flexible interoperability

    Requires Free Membership to View

and reliance on accepted standards make it an easy choice for authentication, authorization and security attribute assertions. SAML assertions are written in XML and can use XML-supported digital signatures, and encryption algorithms and schema. The SAML request/response protocols rely on SOAP over HTTP for transport. Both Liberty Alliance and Web Services Security specify SAML assertions in their standards.

SAML 2.0 promises to extend its usefulness. Expect these improvements:

  • Specifications that will simplify attribute exchanges among federated entities.
  • Improved cross-domain account linking for relying party organizations that need to maintain some information about external users.
  • XML encryption.
  • The capability to embed Kerberos tickets in assertions.
  • Enhanced trust through context metadata that can convey information on how a user was identified before his account was created, and the strength of the authentication method used.

Despite the refinements in SAML 2.0, the standard is still a work in progress. Even in its embryonic form, SAML is making strides in how trusted partners share applications, data and services across domains without building and managing identity stores for external users. Under the SAML schema, customers move transparently from site to site without reauthenticating, and organizations can cut identity management costs, reduce the complexity of identity infrastructure and improve the user experience.

This was first published in January 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: