Security Assertion Markup Language has hurdled technology barriers to become a seamless Web single sign-on option for enterprises. Yet less than 10% of corporations are using it, according to Burton Group senior vice president Dan Blum, who authored a recent report on the security specification.
Blum cites the spec's relative youth and internal business pressures as reasons for the low number.
"Technology is not a roadblock any more," Blum said. "The technology is complex and requires skills, but it has been demonstrated to work and work well."
Members of OASIS, the standards body responsible for crafting and updating SAML, have announced that version 2.0 would be released this summer. SAML 2.0 will unify SAML 1.1 with many specifications developed by the Liberty Alliance under a single framework. OASIS says this will further enhance an enterprise's ability to carry Web single sign-on and Web services user authentication and authorization assertions through the firewall to customers, suppliers and business partners.
"There are business agreements and trust relationships that go on behind the technology front. Those are [difficult] issues to contend with," Blum said. "To get SAML deployed, you have to convince people in the organization that it's the right risk-management choice."
Blum said SAML is still in the early adopter phase, and there are currently no more than 200 production implementations. Those are found primarily in financial services, manufacturing, government, telecommunications, higher education, insurance and other industries where sensitive documents are transferred. Having federated identities in those instances cuts down on the cost of maintaining multiple user and password directories, Blum said.
"It can make applications feasible that were not feasible before," Blum said. "If you're using SAML, you can guarantee inter-domain sign-on for users, enjoy a cost savings by cutting into help desk costs, for example, and turn those savings into a competitive advantage."
Security, interoperability and management, Blum said, are a chief information officer's top three concerns about implementing Web services. SAML not only solves the prickly issue of federated identities but also is complementary to other specifications like Web Services-Security (WS-Security), which is the standard for signing and encrypting SOAP messages.
"SAML is the primary choice for Web single sign-on between dissimilar domains," Blum said. "The reason is that it's here, it's been tried and it works where you have different products internally and between domains."
Blum warns, however, that in addition to training costs and the chore of convincing decision makers of SAML's benefits, enterprises must also contend with regulatory requirements. Auditing, for example, is difficult because of the spec's youth and because of potential inconsistencies between business partners, suppliers and customers.
"Add all this friction and you could be losing ROI," Blum said. "At that point, you might want to put it on your road map and look at it again later."
Blum adds however that enterprises using or exposing applications as a Web service should consider SAML.
"If you have enough relationships, be they B2B, with customers, dealers, outsourcers or even internally, SAML should be considered," Blum said.