SAML declares victory, closes in on a billion IDs

Personally I think there are three trends at security management area. The first is more regulations, best practices, frameworks, standards and laws, so organizations and enterprises must adapt themself to comply those restrictions and suggestions. The second is that security is penetrating into core processes and business applications, deeper and deeper. As the proof, we can see that security managers are paying more and more attentions to data and application security. The third is integration and platform, ie. security information should be shared and exchanged between security devices and functions, so that an architecture similar to SOA and middlewares will be introduced into security technologies.

So a war for the backend standard is going among Microsoft, IBM, Sun, CA, Oracle and other players, or briefly between MS's passport and SAML. OASIS

As a de facto standard, related to the above three trends, SAML is of my interests for a long time. It's an important standard for web services and B/S structure applications, developed and maintained by ID-FF and OASIS. It help build up an open IAM base which other security mechanism and policy will run on.

See the following report at by Rich Seeley.

By the end of this year, there will be one billion identities and devices using the SAML 2.0-based Liberty identity standards, according to the Liberty Alliance. Liberty Federation, which consists of the open ID-FF (Identity Federation Framework) 1.1, 1.2 and SAML (Security Assertions Markup Language) 2.0 specifications, is now the de facto identity standard for architects and developers working on SOA and Web services applications, says Roger Sullivan, vice president of the Liberty Alliance management board and vice president of business development for Oracle Corp.'s identity management products. He argues that competing standards, such as WS-Federation, have failed to gain market traction because little of it is open source and thus it lost the battle. "Effectively the war is over," Sullivan says. "For developers the identity management infrastructure is now in place for innovative applications." However, Randy Heffner, a vice president with Forrester Research, Inc., isn't so sure we have reached peace in our time in the Web services standards wars. However, he does credit Liberty Federation with trumping the as yet largely unrealized WS-Federation vision of Microsoft in its Passport product. Since IBM joined Liberty this past year, Microsoft is the lone giant that has refused to join the Alliance, the analyst says. Microsoft still clings to the idea that it will come up with something someday, he notes, but it hasn't happened yet. "So if you talk about Liberty versus Passport," Heffner says, "Liberty clearly won." Sullivan argues that Web services application developers want open standards and it was the lack of openness that doomed the original Microsoft Passport. Openness is the reason Liberty Federation has achieved what he terms "viral" growth leading to the one-billion projection, Sullivan argues. He acknowledges that the one billion figure does include double touches, duplications where the same person with the standard implemented on their cell phone and wireless notebook would count as two. So there will not yet be a billion users at the end of the year, but anticipating continued viral growth, Sullivan does not think it will take long now that the tipping point has been reached for the number of actual human users to hit the billion mark. Gerry Gebel, senior analyst with the Burton Group, calls the one billion projection "a very important number." He says, "It's definitely a significant number and a concrete sign of maturity for the standards." He says Burton is seeing strong interest in federation from its clients based on the Liberty standards and the confidence developers have in the latest SAML standard. Describing himself as "bullish" on Liberty Federation, Sullivan predicts that as its implementation continues to grow exponentially it may create a global economic boom similar to the one the was the unexpected consequence of overbuilding fiber optic cable during the dot-com heyday. The resulting inexpensive long distance connectivity brought workers in India, for example, into the global economy staffing call centers and IT support organizations. The ability to build Web services applications based on a standard for a billion or more authenticated users all over the world could produce another boom, Sullivan argues. Again Heffner is more cautious about the future saying that standards for Web services development have yet to be worked out, but he believes the Liberty standard and especially ID-FF is something architects and developers can include in "reasonable planning." "ID-FF is a safe bet," the Forester analyst says. "You'll get support for it. There will be products that work with it." As developers begin to work with Liberty Federation, Sullivan envisions the first enterprise-level products will come in the financial services, manufacturing and government sectors. For example, a manager walking through an airport will be able to update an inventory database from a cell phone. "The technology to do that is in place today," Sullivan says. Sarbanes-Oxley compliance, an area where business and government applications intersect is "all about authentication," he says. This will be a major use of the standard not only in the U.S., but also in Japan where a similar law is set to go into effect. On the consumer side, he points to America Online as an early adopter. It is using Liberty Federation for its Radio AOL services providing online radio stations and music downloads to its subscribers.


Comments are closed.

%d bloggers like this: