Nov 24, 2002 (07:11 PM EST)
Extra Layer: Web-services Standard To Support Security

Read the Original Article at InformationWeek

Web services, for all the great press they get, have one constant rap against them: a lack of inherent support for security. That's because there are no provisions built into Web-services standards to secure transactions.

The Security Assertions Markup Language promises to address this need by providing a security layer that functions on top of Web services. SAML is an XML-based framework that associates information about security policies with a specific user or machine. Its bindings let it work with the Simple Object Access Protocol, the communication protocol used by Web services.

Here's how a SAML-based transaction works: A Web service receives a request, typically from another application or a portal server. A request is sent to another application, which returns an SAML-based response that contains data on what authentication and authorization is needed. Based on the SAML message, the Web service will use application logic to execute the service, return an error, or request additional information.

This all works only if Web services have SAML capability built into their framework. Ideally, platform vendors will provide this functionality as part of their Web-services environments. But SAML hasn't yet been widely adopted. Another innovative approach is to intercept traffic destined for Web services and use SAML-based assertions to validate a request before the Web service receives it.

Because SAML is a standards-based approach, vendor-product implementations most likely will interoperate. One of the initial practical uses for SAML is to provide single sign-on capabilities, freeing users from having to remember passwords for multiple systems.

The SAML 1.0 specification has just been approved by the Oasis group, which has overall responsibility for the standard. Other initiatives are under way on related projects that use SAML as a key underpinning.

The Liberty Alliance Project, an initiative that includes IT vendors and buyers and seeks to provide distributed identity-based products and services, employs SAML as a core enabling technology in its architectural specifications.

Sidebar to: Chart A Plan For Security