hultberg.org: LinkLog

SAML: An overview and introduction

This is an introduction to SAML, clearing away some myths and misunderstandsings about the new Security Assertion Markup Language.

Combine it with the exploding weblog and RSS cloud and interesting things start to happen. Link found via Marc Canter.

As a newcomer, the new Security Assertion Markup Language (SAML) specification is being compared to existing single-sign-on technology, authentication services, and directory services. SAML is the first of what will likely be many authentication protocols to leverage Web infrastructures, where XML data moves over HTTP protocols on TCP/IP networks. SAML was developed at the OASIS group as an XML-based framework for exchanging security information. SAML is different from other security approaches mostly due to its expression of security in the form of assertions about subjects. Other approaches use a central certificate authority to issue certificates that guarantee secure communication from one point to another within a network. With SAML, any point in the network can assert that it knows the identity of a user or piece of data. It is then up to the receiving application to accept if it trusts the assertion. Any SAML-compliant software can then assert its authentication of a user or data. This is important for the coming wave of business workflow Web service standards where secured data needs to move through several systems for a transaction to be completely processed.

Debunking SAML myths and misunderstandings

Random fortune brought to you by www.fortunes.nu:

:: ()