News

SAML, WS-Security on view at RSA

• By John K. Waters
• March 3, 2004

Eleven vendors teamed up with the U.S. General Service Administration (GSA) E-Gov E-Authentication Initiative to demonstrate the interoperability of the Security Assertion Markup Language (SAML) at the recent RSA Conference 2004 in San Francisco.

SAML 1.1 is an OASIS standard for the exchange of authentication, attribute and authorization information. It is an XML framework that serves as a basis for federated identity and security environments, and is designed to enable secure single sign-on to applications within organizations and across companies.

The idea behind this demonstration was to show interoperability of a SAML-based architecture, which was deployed across three separate scenarios, simulating interaction between a government or enterprise portal and sites from typical content or service providers.

"The SAML 1.1 specification reflects strong work in establishing a standard basis for federated identity," said Karl Best, vice president of OASIS. "We're pleased that RSA Security is hosting this event and actively participating in the interoperability lab. A public event of this caliber helps end-user organizations to see the cost and productivity benefits achieved by utilizing products that interoperate by supporting these standards."

The demo featured conference sponsor and namesake RSA Security's ClearTrust Federated Identity Management Module, which is designed to provide SAML functionality for generating and consuming standards-based SAML assertions.

Meanwhile, the Web Services Interoperability (WS-I) Organization released the public draft of its Security Scenarios document at the show. Developed by the WS-I's Security Profile Working Group, the 48-page document identifies security challenges and threats in building interoperable Web services and proposes countermeasures for these risks.

Speaking at a press conference, Hal Lockhart, principal engineering technologist at BEA Systems and a member of the WS-I Security Profile Working Group, called the release of the scenarios doc "a very important step" toward helping Web services developers to identify security problems and solutions.

The scenarios document provides just a sample of an infinite number of ways for companies to use standards such as WS-Security and SOAP Message Security 1.0 to secure Web services messages, Lockhart told reporters. But he hoped that it would stimulate discussion of Web services security issues within the industry.

"This activity will form the basis for what we consider to be the basic security profile," Lockhart said. "We want feedback from people. Is this the right set of scenarios, the right set of choices to make? We hope people will look at this document and feed back to us their reactions."

Security software vendor SafeNet gave conference attendees a preview of the upcoming release of its SafeZone Trusted Mobile Computing Toolkit. SafeZone is designed to enable developers to build secure applications for mobile environments, and to immediately enable the installed base of applications by offering current common industry-standard APIs.

Basically, SafeZone provides a middleware layer with industry-standard APIs that will bind security-aware applications and hardware security technologies. The result, the vendor claims, is a toolkit that enables developers at each stage of the platform evolution to quickly leverage the enhanced security in the latest platforms, while maintaining code compatibility with their current implementations.