Patrick Harding articulates what SAML 2.0 may mean to the industry:
Until this year, identity federation has suffered from the problem of too many standards. Companies that deployed federation before the fourth quarter were forced to deal with five incompatible protocols: OASIS Security Assertion Markup Language 1.0 and 1.1, Liberty Alliance ID-FF 1.1 and 1.2 and Shibboleth. The result was a complex matrix of enterprise and consumer use cases, protocols and implementations that slowed the growth and increased the cost of federation deployments.
The Organization for the Advancement of Structured Information Standards (OASIS), the Liberty Alliance and Shibboleth have since joined forces to create a single standard that would make their previous work obsolete. The result is SAML 2.0, which OASIS ratified in March and is beginning to appear in vendor products. SAML 2.0 radically alters the federation landscape by removing the largest barrier to increased federation adoption: multiprotocol complexity.
...SAML 2.0 incorporates every critical-use case and feature from every predecessor protocol into a single standard. As it represents a superset of all the functionality in all five predecessors, SAML 2.0 makes them obsolete.
SAML 2.0 describes two roles for enabling federation; the service provider is the entity that makes an application or resource available to the user, while the identity provider is responsible for authenticating the user. The service provider and the identity provider exchange messages to enable single sign-on and single log-out. These message exchanges can be initiated by the identity provider or the service provider.
For single sign-on, the identity provider is responsible for creating a SAML assertion that contains the identity of a user and then securely sends that assertion to the service provider. The service provider is responsible for validating the SAML assertion before letting the user access the application.
Since the whole point of federation is to port identity information across domains and render it usefully, convergence of the myriad of standards is a welcome development.
How does SAML 2.0 compare to WS-Federation in terms of encapsulating past requirements?
Posted by: James | January 23, 2006 at 05:14 PM
Is it too many standards the problem or too complex ones to develop and review for security ?
Don't you think that the major drawbacks of all these standards is their architecture and design complexity, because they want to address a too large scope ?
Don't you think that more simple and "targeted" protocols would be easier to conceive and review for security flaws ?
Fred
Posted by: Fred | February 06, 2006 at 02:44 AM