Security Assertion Markup Language (SAML) Version 1.1 Ratified as OASIS Standard
Boston, MA, USA; 22 September 2003 -- The OASIS standards consortium today announced that its members have approved the Security Assertion Markup Language (SAML) version 1.1 as an OASIS Standard, a status that signifies the highest level of ratification. SAML provides an XML-based framework for exchanging authentication and authorization information, enabling single sign-on--the ability to use a variety of Internet resources without having to log in repeatedly.
"SAML has gained widespread industry adoption as a basis for federated identity and security environments," said James Kobielus, senior analyst at Burton Group. "Clearly, SAML is a living, evolving standard, and OASIS has, with the new version 1.1, incorporated changes that reflect real-world experience with SAML version 1.0."
According to Prateek Mishra of Netegrity, co-chair of the OASIS Security Services Technical Committee, "Prior to SAML, there was no XML-based standard that enabled exchange of security information between a security system (such as an authentication authority) and an application. SAML provides a way to specify authentication, attribute, and authorization decision statements. It also specifies a Web services-based request/reply protocol for exchanging these statements."
"The SAML 1.1 standard introduces important enhancements that improve its interoperability and utility to other Web services security efforts in the industry. This can be seen through the adoption of SAML 1.1 as a foundation for the Liberty Alliance's Identity Federation Framework, the implementation of SAML 1.1 by the Internet2/MACE Shibboleth project, and the development of a SAML profile by the OASIS Web Services Security (WSS) Technical Committee for using SAML with WS-Security," added Rob Philpott of RSA Security, co-chair of the OASIS Security Services Technical Committee. "The growing participation of OASIS member companies in SAML's development and our committee's increasing collaboration with other security-related standards groups demonstrate the value of OASIS SAML standardization to the industry."
Liberty Alliance Management Board president, Michael Barrett, also vice president of Internet Strategy at American Express, commented, "Collaboration between standards organizations is critical to industry momentum and to ensure new technologies like single sign-on and Web services succeed. Organizations looking to benefit from these new technologies need access to proven, interoperable, and secure standards that they can build on for the next new technology. Open standards like SAML and Liberty's specifications have been proven to meet that need."
Members of the OASIS Security Services Technical Committee include Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard, Netegrity, Oblix, OpenNetwork, Reactivity, RSA Security, SAP, Sun Microsystems, Verisign, and other security software vendors, financial institutions, government agencies, and academia.
Industry Support for SAML 1.1
"Baltimore welcomes the completion of SAML 1.1 as an important building-block of the security services infrastructure that will underpin the emerging service oriented computing landscape," said Patrick McLaughlin, CTO, Baltimore Technologies.
"SAML 1.1 continues the evolution of this key standard for interoperable exchange of security information in federated environments," said Ed Cobb, Vice President, Architecture and Standards, BEA Systems, Inc (NASDAQ: BEAS). "We are pleased at the growing industry support for SAML to secure information access and to enhance user experiences in service-oriented environments."
"Managing the identities of users outside the enterprise has become as integral to business enablement as managing the identities of internal users," said Bilhar Mann, director of eTrust identity and access management solutions at Computer Associates. "The SAML OASIS Standard will play an instrumental role in enabling identity management beyond the enterprise. It will also enable users of CA's SAML-compliant, eTrust identity and access management solutions to more readily apply corporate management and security policies to systems that touch customers and supply-chain partners."
"The approval of SAML 1.1 as an OASIS Standard is an important step towards broader adoption of standards-based authentication and authorization solutions," said Sekhar Sarukkai, Vice President of Technology & Co-Founder of Confluent Software. "As a Web services management vendor supporting SAML in many customer engagements, we believe that the several important extensions in SAML 1.1 will help accelerate the deployment of secure, standards-compliant Service Oriented Architectures."
"The release of the 1.1 specification is a testament to the advancement for Web services deployments and the demand for pragmatic, interoperable solutions for Web services security," said Rich Salz, Chief Security Architect at DataPower Technology Inc. "The fact that much of SAML 1.1 is based on feedback from the 1.0 user community shows that SAML is being deployed and is meeting real-world needs. We look forward to increased adoption and evolution."
"As one of the early founding members of the OASIS Security Services Technical Committee and an ongoing contributor to SAML's development, we are happy to see its advancement in the industry as a standard for identity federation," said Tim Moses, Director of Advanced Security Technology, Entrust, Inc. "We are seeing increasing interest in the marketplace around SAML and are committed to continuing our support for the OASIS Standard through Entrust's broad portfolio of security solutions for Web Portals, Identity Management, and Web Services."
"Hitachi welcomes the enhancement of the SAML OASIS Standard," said Takao Nakamura, General Manager, Network Software of Hitachi, Ltd., Software Division. "We believe that SAML 1.1 will be an integral part of a secure Web services environment. We plan on adopting this standard for our Web services products in the future.
"The ratification of SAML 1.1 accelerates broader adoption of federated identity as a way to increase collaboration and effectiveness," said Prakash Ramamurthy, vice president of products and technology, Oblix. "We are pleased by growing industry support for SAML and are very proud of our customers, such as Southwest Airlines and SPAWAR, who report real business value from live SAML deployments."
"As security technologists and active participants in OASIS, we are excited that SAML 1.1 has become an OASIS Standard," said Bob Worner, vice president of product engineering at OpenNetwork. "We look forward to continued work and standards development and to delivering these technologies to our customers for more secure and cost effective identity management across disparate corporate boundaries."
"We are very pleased with the significant traction that SAML has received and the enhancements in the 1.1 release of SAML incorporate what has been learned in those deployments," said Deepak Taneja, CTO at Netegrity. "Utilizing the SAML support within Netegrity's identity and access management solutions companies are able to realize the benefits of flexible federation models."
"Reactivity is pleased to support SAML 1.1 as an OASIS Standard. The Reactivity XML Firewall incorporates support for the SAML Token Profile for Web Services to provide out customers with interoperable authentication credentials for securing XML and Web Services. SAML 1.1 incorporates feedback from actual production deployments of SAML, which attests to the strength of the standard in solving real-world problems and delivering rapid business results," said John Lilly, VP and CTO, Reactivity, Inc.
"RSA Security is firmly committed to industry standards that help our customers to be more productive, enjoy greater interoperability, achieve new business opportunities, and realize a strong return-on-investment across their infrastructure," said Jason Lewis, Vice President of Product Management and Marketing at RSA Security. "We have been involved with SAML from its inception, contributing core intellectual property and technical expertise to guide its development, and we are pleased with the progress that is reflected in version 1.1. We support version 1.1 in the latest release of RSA ClearTrust software and look forward to helping more of our customers capitalize on federated identity management."
"The area of security poses a real concern for companies assessing their web services strategy," said Sachar Paulus, Director of Product Security, SAP. "Now that SAML 1.1 has achieved OASIS ratification as the industry standard for security assertions, e.g., for delegating authentication and authorization decisions to central, federated Identity and Access Management solutions, a major aspect of the security architecture of a Web services-based landscape is addressed. SAP already supports SAML 1.0 with its current NetWeaver release for Single Sign-On purposes and is committed to use SAML 1.1 as a cornerstone for achieving the needed security of SAP's Enterprise Service Architecture."
"Sun continues to be committed to supporting SAML as it provides an essential framework for delivering secure, identity-enabled Web services," said Stephen Pelletier, vice president, Network Identity, Communication and Portal Products. "SAML is a key part of the Liberty Alliance's federated identity management initiatives, further demonstrating its significant value and market adoption. Sun is committed to supporting SAML version 1.1 in our market-leading, Liberty-enabled Java System Identity Server early next year."
About OASIS (http://www.oasis-open.org):
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 600 organizations and individual members in 100 countries.
OASIS Security Services Technical Committee: