SAML to simplify Web security integration

Internet travel reservations have become both a blessing and a bane for business travellers. You can change itineraries with the click of a mouse, but in order to do so it is necessary to log on to disparate flight, hotel and car rental accounts.

This is because individual companies choose their own security management software (Netegrity, Oblix, Tivoli, Sun) and there is little common language between them. Having Air Canada authorize you does little good when you want to go to the Hertz car rental site. You have to log on a second time.

The Organization for the Advancement of Structured Information Standards (OASIS) is nearing ratification of SAML 1.0. The Security Assertion Markup Language is a new proposed standard for interoperability among Web services security products, according to the Burton Group’s Network Strategy overview. In a nutshell, it would allow two SAML-enabled security managers (say Tivoli and Netegrity) installed by two different companies will be able to communicate.

“It enables security environments to be more flexibly reconfigured across different vendor platforms,” said James Kobielus, an Alexandria, Va.-based senior analyst with the Burton Group.

SAML uses, and is based on, XML and SOAP (Simple Object Access Protocol).

With a browser, a user would log on to a portal (this could be the corporate travel site) which keeps the master record of the person’s identity. The portal authenticates the user, and since it is SAML enabled, it creates a data structure called a SAML authentication assertion. The portal directs the browser to the site the user is trying to get into and, when it does, the portal attaches a redirection URL sequence called a SAML artefact. This is a string of characters which identifies the authentication assertion which has been created for the user’s log on event. The destination site uses the redirection URL sequence to go back to the portal to get the authentication assertion. It then authenticates that the SAML assertion is a valid one, for example by validating a digital signature.

Additionally, the destination site will also match the user against local policy to make sure he or she can access the data they are after. This is designed to happen invisibly and instantaneously.

Today you can do this only within homogenous vendor environments. “There are a lot of single-sign-on products but they don’t really talk to each other,” Kobielus said.

Jeff Hodges, protocol architect with Sun Microsystems Inc. in Santa Clara, Calif., agrees. “There are sophisticated access management solutions out there but they are all proprietary,” he said. “It is a proprietary morass.”

The key behind SAML is its ability to provide a framework so vendors can glue together disparate authentication environments, Hodges said. “It helps reduce the friction, (and though) SAML doesn’t solve all the world’s problems it is a step in the right direction.”

Most security management software vendors are already in the process of SAML-enabling their technology.

“The market will be in the early adoption phase for the next year or two,” Kobielus said. He sees the travel industry as being one of the early adopters.

It will not be all fun and games for IT, but a little pain now will alleviate a lot of pain later, he added.

“It certainly is going to add another layer of complexity,” Kobielus said. “For the IT guy it will make things simpler in the long run because there will be no need to install or implement custom code,” he added. “But you are still going to have to master the SAML concepts.”

The hope is that SAML will be ratified by this fall.