Security Assertion Markup Language (SAML) Ratified as OASIS Open Standard

Authentication and Authorization Standard Enables Single Sign-On for Web Services

Boston, MA, USA; 6 November 2002 — The OASIS interoperability consortium today announced that its members have approved the Security Assertion Markup Language (SAML) v1.0 as an OASIS Open Standard, a status that signifies the highest level of ratification. SAML is an XML-based framework for Web services that allows the exchange of authentication and authorization information among business partners. SAML enables Web-based security interoperability functions, such as single sign-on, across sites hosted by multiple companies.

“SAML 1.0 is an important industry standard for federating diverse security domains across Web services environments,” said James Kobielus, senior analyst at Burton Group. “SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products.”

“SAML lets companies implement single sign-on solutions that allow users to visit various Web sites without being repeatedly challenged for credentials,” explained Joe Pato of HP, co-chair of the OASIS Security Services Technical Committee. “In addition, SAML makes it possible to include security information in documents used in business transactions. This is particularly relevant for Web services, where security is critical.”

SAML incorporates industry-standard protocols and messaging frameworks, such as XML Signature, XML Encryption, and SOAP. The specification can be easily integrated in standard environments such as HTTP and standard Web browsers. Likewise, other security environments can use SAML as an authentication and authorization layer. SAML complements Web services standards, such as SOAP, which lack inherent security features. The OASIS Web Services Security Technical Committee, for example, is profiling SAML as one of its set of security tokens.

“SAML allows vendors to interoperate for the benefit of their customers,” said Jeff Hodges, Sun Microsystems, co-chair of the OASIS Security Services Technical Committee. “The standard is easily implemented by companies in existing environments, and SAML-aware security applications are already being introduced. Related security initiatives, such as Liberty Alliance’s Version One Specification, are leveraging SAML in order to more quickly realize their goals.”

The SAML OASIS Open Standard was developed by Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard Company, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun Microsystems, Verisign, and other members of the OASIS Security Services Technical Committee.

“Ratification as an OASIS Open Standard means that developers can deploy SAML with confidence,” said Karl Best, vice president of OASIS. “To attain this level of acceptance, SAML first completed an extensive public review, was approved by the OASIS Security Services Technical Committee, and demonstrated its readiness through multiple implementations. Finally, SAML was reviewed and approved by the OASIS membership as a whole. We congratulate and thank the members of the OASIS Security Services Technical Committee for all their outstanding efforts in advancing SAML as the newest OASIS Open Standard.”

“SAML depends on the availability of authentication frameworks such as PKI digital certificates,” said Terry Leahy of Wells Fargo, chair of the newly formed OASIS PKI Member Section. “We look forward to advancing PKI for end-entity authentication and for supporting persistent digital signatures conveyed through SAML assertions. Through SAML, PKI will provide a foundation for secure Web services.”

Support for SAML

“SAML represents a significant step forward in helping organizations to strengthen their online business relationships by making it easier to share authentication and authorization information across corporate boundaries and security domains” commented Peter Doyle, Vice-President Marketing with Baltimore Technologies. “Baltimore SelectAccess was first-to-market with SAML support earlier this year and Baltimore remains fully committed to driving standards which can enhance online security while delivering cost savings for organizations and a better experience for their users.”

“By both simplifying and strengthening online authentication and authorization, SAML will become a significant enabler of secure eBusiness in an increasingly complex and interdependent online environment,” said Ron Moritz, senior vice president for eTrust security solutions at Computer Associates. “As the leader in eBusiness security software, CA will play a key role in promoting the SAML standard as we incorporate it into our entire line of our eTrust identity management and access control products.”

“DataPower Technology sees open, easy to implement standards as one of the major building blocks to the foundation and success of ebusiness. As a member of OASIS, DataPower fully supports the advancement of SAML as an XML-based standard for exchanging authentication and authorization information to ensure that transmitted communications are secure,” said Steve Kelly, CEO at DataPower Technology, Inc.

“As one of the early founding members of the OASIS Technical Committee on SAML, and a ongoing contributor to the specification’s development, we are gratified to see SAML ratified as an industry standard,” said Ian Curry, vice-president, chief marketing officer, Entrust, Inc. “We are committed to continuing our support for SAML by incorporating the standard into the Entrust Secure Web Portal Solution as well as our growing Web Services portfolio.”

“The standardization of security technology is essential for the widespread adoption of Web services. Fujitsu is pleased with the announcement that SAML has become an OASIS Open Standard,” said Seigo Hirosue, General Manager, Project-A XML, Fujitsu Limited. “As a leading provider of Internet-focused information technology solutions for the global marketplace, Fujitsu has been committed to facilitating standard technologies. The future version of the Interstage software product – Fujitsu’s eBusiness infrastructure – will support the new SAML Standard.”

“Hitachi Ltd. sincerely welcomes SAML as an OASIS Open Standard,” said Kiyoshi Kozuka, General Manager, Software Division, Hitachi Ltd. “We believe that SAML is a core technology leading to the implementation of secure and interoperable Web services, and it encourages growth of the Web services market. We will adopt SAML 1.0 to implement our Web services products and will actively take part in further OASIS standardization efforts.”

“SAML and other security standards such as WS-Security allow customers to expand Web services beyond the firewall and integrate business processes securely with suppliers, partners and customers, which ultimately allows our customers to tap into new markets and revenue chains,” said Arvind Krishna, vice president of security products, Tivoli Software, IBM. “Through the federated identity interfaces currently available in our software and upcoming SAML support, IBM provides a way for Web services and enterprise applications to share identity information across multiple networks.”

“Netegrity, in cooperation with its partners, has been working on SAML for over two years, and we are very excited that it is now officially an OASIS Open Standard,” said Deepak Taneja, chief technology officer at Netegrity. “Netegrity was one of the first vendors to provide SAML support within its products, SiteMinder and TransactionMinder, enabling customers to quickly and cost effectively securely exchange user information across partner sites and within Web services.”

“The final acceptance of the SAML standard by OASIS is a huge step towards accelerating the interoperability of security systems for enterprises around the world”, said Nand Mulchandani, co-founder and CTO, Oblix. “Oblix has many customers who are on the forefront of implementing SAML in their organization because they have a need to access and transport security information between disparate systems. Oblix NetPoint, our Web access and enterprise identity management solution, is fully SAML-ready and available to support customers today.”

“Quadrasis is pleased to sponsor and support the OASIS SAML Technical Committee”, said Don Flinn, Quadrasis Chief Security Architect. “This XML-based security standard for exchanging authentication and authorization information is core to our Quadrasis EASI Security UnifierTM, a visionary solution to solve Enterprise Application Security Integration (EASI) across the multiple tiers, platforms, and security components of the enterprise. We look forward to continuing our efforts to advance the WS-Security and SAML specifications.”

“RSA Security strongly embraces industry standards as a means of delivering better value and investment security to our customer base,” said John Worrall, vice president of worldwide marketing at RSA Security. “As an early and active participant in the SAML effort, we’re pleased to see it reach OASIS Open Standard status and are already supporting it in our products and in live production environments. SAML is a core element of our vision for enabling Trusted Identity and Access Management–a vision that is helping organizations better utilize identity information for greater productivity and higher security.”

“Since customers are recognizing security more and more as a vital and high priority issue for professional e-business software, SAP has been supporting the development of SAML as an Internet standard for the exchange of authentication and authorization policies across platforms and enterprise boundaries. SAML contributes a significant piece to the standards stack in the evolving Web services space,” said Sinisa Zimek, Director Technology Architecture & Standards for SAP.

“As one of the leading developers of Web services-enabled integration solutions and an active supporter of OASIS, Sybase is excited to learn that SAML has been approved by this standards body,” said Billy Ho, senior vice president and general manager of Sybase’s e-Business Division. “By ensuring the security of XML-based transactions and interactions, SAML will help make Web services usable to all enterprises. Sybase will use SAML extensively to support next-generation security framework in our current and future service oriented architecture (SOA) offerings.”

“By serving as the ‘lingua franca’ for myriad authentication approaches, we expect the SAML standard to have a major impact on the broader Web services security arena,” said Don Adams, Principal Architect, Office of the CTO, TIBCO Software Inc.

About OASIS (

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. OASIS has more than 500 corporate and individual members in 100 countries around the world.

Don't miss