SAML sets up single sign-on

Users are forced to maintain multiple identities between employers, portals, user communities and business services, resulting in isolated business relationships and experiences. A federated identity is the key to eliminating this fragmentation.

To achieve widespread adoption of federated commerce, a standardized, multi-vendor, Web-based architecture using commonly deployed technologies, such as the Liberty Alliance Project’s Liberty Architecture, must be accepted and implemented. Single sign-on (SSO), which is the means by which a Web service conveys to another that a user is authenticated. Security Assertion Markup Language (SAML) provides a framework for SSO capabilities.

With SAML, a user would sign on at one Web site, and, if authorized, authentication could carry forward to the site of cooperating companies. Making travel reservations, for example, could become significantly easier; a user would sign on at an airline’s portal and quickly arrange for car rental and hotel rooms at other companies’ sites without having to wade through their sign-on processes.

SAML enables the exchange of authentication and authorization information about users, devices or any identifiable entity – “subjects,” in the vernacular of the standard. Using a subset of XML, SAML defines the request-response protocol by which systems accept or reject subject “assertions.”

SAML defines three types of assertions:

– Authentication, indicating that a subject was authenticated previously by some means (such as password, hardware token or X.509 public key).

– Authorization, indicating that a subject should be granted or denied resource access.

– Attribution, indicating that the subject is associated with attributes.

SAML does not specify how much confidence should be placed in an assertion. Local systems decide if security levels and policies of a given application are sufficient to protect a company if damage results from an authorization decision based on an inaccurate assertion. This characteristic of SAML is likely to spur trust relationships and operational agreements among Web-based businesses in which each agrees to adhere to a baseline level of verification before accepting an assertion.

SAML can be bound with multiple communication and transport protocols. It can be linked with Simple Object Access Protocol (SOAP) over HTTP.

SAML operates without cookies in one of two profiles: browser/artifact and browser/post. Using browser/artifact, a SAML artifact is carried as part of a URL query string. A SAML artifact is a pointer to an assertion. With browser/post, SAML assertions are uploaded to the browser within an HTML form and conveyed to the destination site as part of an HTTP post payload.

The effect of SAML will be multi-fold. With single-password access to SAML-enabled Web-based services from multiple portals, access will be less time-consuming and tedious. Meanwhile, companies will be able to establish new business partnerships and create Web-based services that provide consumers with choice, convenience and control.

Perlowitz is CTO for Reliable Integration Services. He can be reached at