Liberty Alliance Claims More SAML Interoperability

By Andy Patrizio | Dec 19, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/news/article.php/3717606/Liberty-Alliance-Claims-More-SAML--Interoperability.htm

The Liberty Alliance announced Tuesday that the Tower of Babel just got one story shorter now that five IT providers have passed a unified test to insure single sign-on interoperability.

The Alliance is a consortium focused on identity management in Web services and the development of a number of specifications related to identity and single sign-on. It has proposed extensions to the Security Assertion Markup Language (SAML), an XML standard for exchanging authentication and authorization data between security domains.

In previous SAML (define) testing, two companies could claim compliance with the SAML 2.0 spec if they passed the test when communicating among themselves, but there were no promises that they would interoperate with anyone else. So while the list of companies that were SAML-compliant was lengthy, there were no promises that they actually could interoperate with anyone—only with two companies on the list—and the list didn't specify which companies.

Thanks to a new full-matrix interoperability testing methodology from The Drummond Group, HP, IBM, RSA, Sun Microsystems and Symlabs can claim full interoperability with each other and every other company that passes the Drummond tests is guaranteed to work with all of the previously certified vendors.

"The old list didn't go as far as the random nature of a real world deployment," Roger Sullivan, president of the Liberty Alliance and vice president of Oracle Identity Management told InternetNews.com. "In a real world deployment, the vendors with whom I'm going to interoperate with could be anyone. That's the point. I want my test to be as comprehensive as possible so customers who see the list know that the companies all work together."

There was also a change in how the tests are conducted. Previous compliance tests were done in a lab, but now they were done on the open, public Internet, "like in a real business environment, competing with traffic from all around the world," said Sullivan.

Jason Rouault, CTO of Identity and Security Management for HP Software, had high praise for the new testing methods. "The standards around federation (define) were created and designed to achieve interoperability," he said. "We couldn't do things like a single sign-on or attribute sharing because every vendor was doing it totally different."

The single sign-on certification will be a big help for HP, he said. "It will really bring the customer costs savings and assurance in value," said Rouault.

These tests took about six weeks to validate compared to the only one week required by the older tests. But it insures that SAML messages can be passed back and forth among all parties, and that they meet the U.S. General Services Administration (GSA) requirements for SAML 2.0 compliance.

In October the GSA began to mandate passing SAML 2.0 interoperability testing as a prerequisite for participating in the federal government's E-Authentication Identity Federation. The U.S. and 21 other nations had adopted SAML 2.0 for their secure sign-on, so any firm wanting to do business with these nations needs to pass the full-matrix test.

"SAML is the de facto protocol requirement around the world for federation," said Sullivan. "With the GSA endorsing this and making this testing as a prerequisite for their environment, we expect this program will accelerate even faster. But time will tell."

Article courtesy of internetnews.com