Security Assertion Markup Language (SAML) 1.0 is a new proposed standard for interoperability among Web services security products. Enterprises are increasingly deploying access management solutions and other security products in Web services environments, and SAML is becoming a critical interoperability standard for securing these online environments from end to end, both within organizations and across business-to-business (B2B) value chains.

SAML 1.0, nearing ratification by the Organization for the Advancement of Structured Information Standards (OASIS), leverages Extensible Markup Language (XML) and Simple Object Access Protocol (SOAP). SAML 1.0 defines SOAP-based interactions among security and policy domains, supporting Web single sign-on (SSO), authentication, and authorization. The standard defines assertion-bearing request and response messages that security domains exchange to share authentication decisions, authorization decisions, and attributes pertaining to named users and resources. In a Web SSO scenario, for example, users log in to their home or "source" domains through authentication techniques such as ID/password or Kerberos. The source domain communicates this authentication decision, plus the context for that decision, to one or more affiliated or "federated" destination domains through a SAML authentication assertion.

SAML 1.0 has undeniable momentum and support. The breadth and depth of vendor commitment to SAML 1.0 across the identity and access management (I&AM) market is impressive, with the noteworthy exception of Microsoft, which continues to back Kerberos and Passport as core protocols in its .NET framework for XML Web services. But even Microsoft has recently acknowledged the need to interoperate or federate their .NET security infrastructure with third-party I&AM environments, including those that implement SAML. Microsoft asserts that its WS-Security) framework allows for interoperability with SAML, although this interoperability is not described in the draft WS-Security specification that Microsoft and IBM recently issued.

At press time, SAML 1.0's ratification is imminent. Still, there are few SAML-based products on the market. However, the range of SAML-based products will continue to grow, and by the end of 2002 there will be a critical mass of products from different vendors for enterprises to start testing SAML-based interoperability in earnest. Nevertheless, the initial crop of SAML-based products will support a narrow range of authentication and authorization interoperability scenarios, and real-world interoperability will be touch-and-go until the industry works through a broad range of technical details.

As written, SAML 1.0 does not guarantee that multivendor interoperability will be quick or painless. OASIS's Security Services Technical Committee (SSTC) and other industry groups will need to continue defining more detailed implementation profiles to accomplish that goal. Consequently, Web access management (WAM) vendors must help customers implement SAML profiles without getting lost in the many technical options that the standard allows, or getting bogged down in the many technical issues that the standard doesn't address at all. Enterprises must agree on trust relationships, identity namespaces, attribute schemas, session-management schemes, and other matters in order for their respective SAML implementations to interoperate fully.