Among the most challenging aspects of Internet security is integrating disparate security systems while maintaining a seamless operation and safe environment. This is particularly important in e-commerce, where companies often need to exchange confidential data over the Web.
One initiative that the Organization for the Advancement of Structured Information Standards (OASIS) is overseeing is the Security Assertions Markup Language (SAML). SAML is an extension to XML, which deals specifically with the exchange of information between different security systems over the Internet.
What it is
SAML is not new technology; rather, it is a language that pulls together, into a single XML description, the information generated by different online security systems and allows them to communicate. Traditionally, IT security has been defined by the physical or logical boundaries of a single enterprise. But it's becoming increasingly important for businesses to form online partnerships, which require shared, secure environments to run smoothly.
This is where SAML can help. It bridges the gap between traditional security boundaries and enables business sites to exchange security information. The result is that transactions initiated on one site can be completed at another trusted site, using SAML as the go-between. Commercial agreements/partnerships between businesses are a prerequisite to using SAML as part of a shared security infrastructure.
How it works
SAML works within the context of standard industry transport protocols, such as HTTP, SMTP, and FTP, as well as various XML document-exchange frameworks, such as SOAP and BizTalk. A key benefit is that SAML enables users to move across the Internet with their security credentials, which allows for a single sign-on using SAML as the intermediary language for authentication and access to shared resources.
SAML thus provides a common framework for the exchanges of authentication, authorisation, and profile information across disparate, policy-based security systems. Because SAML describes existing security models through XML, it is also platform-neutral and independent of vendor architecture and/or infrastructure. The list below summarises how SAML binds itself to commonly used transports:
Web browsersââ,¬"SAML assertions are communicated by a Web browser through cookies or URL strings.
- HTTPââ,¬"SAML assertions are conveyed from a source Web site to a destination Web site via headers or an HTTP POST.
- MIMEââ,¬"SAML assertions are packaged into a single MIME security package combined with the message payload (a purchase order, a bank's line-of-credit statement, etc.).
- SOAPââ,¬"SAML assertions are bound to the SOAP document's envelope header to secure the payload.
- ebXMLââ,¬"This provides a MIME-based envelope structure used to bind SAML assertions to the business payload.
As you can see, SAML uses objects called assertions. These assertions are generated by and sent to trusted security authorities using a request/response protocol (SAMLQuery, SAML QueryResponse). SAML helps build a data format in XML for authentication assertions and authentication attributes, parameters used by security services to make authentication decisions based on policy.
7%
1%
