This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Efficiency Through Federation
Providers of enterprise identity management applications are rapidly supporting the use of SAML assertions as a means of passing identity information from a trusted source, like a company's directory service, to applications of all types. SAML could help application developers make authentication more transparent to users. In addition, the ability to pass attribute assertions to applications could foster enhanced role-based access controls while reducing role management complexity.
What can't be automated are the trusted relationships between domains. These relationships must be established out of band, either party to party or with a trust authority. It's relatively trivial to say, "Trust access assertions from ABC Corp.'s domain," but it's a different matter to first engage in that trust and provide levels of controls to maintain the integrity and security of your domain. Enterprises looking to federate should examine their partners' security programs to ensure they don't invite a compromise through a federated portal.
Likewise, SAML assertions are subject to the same fraud and misuse risks as conventional authentication credentials. Just as a fake driver's license makes it easier to get a counterfeit credit card, so too does a poor initial identification process make it easy to use the SAML standard to create fraudulent federated identities.
Nevertheless, SAML's flexible interoperability
SAML 2.0 promises to extend its usefulness. Expect these improvements:
- Specifications that will simplify attribute exchanges among federated entities.
- Improved cross-domain account linking for relying party organizations that need to maintain some information about external users.
- XML encryption.
- The capability to embed Kerberos tickets in assertions.
- Enhanced trust through context metadata that can convey information on how a user was identified before his account was created, and the strength of the authentication method used.
Despite the refinements in SAML 2.0, the standard is still a work in progress. Even in its embryonic form, SAML is making strides in how trusted partners share applications, data and services across domains without building and managing identity stores for external users. Under the SAML schema, customers move transparently from site to site without reauthenticating, and organizations can cut identity management costs, reduce the complexity of identity infrastructure and improve the user experience.
This was first published in January 2005