Web standard to ease secure portal sign-on

Impetus is growing for an emerging Web standard that will enable agencies to set up portals through which users can conduct transactions via multiple sites or access multiple applications after a single log-in.

Security Assertion Markup Language (SAML) 1.0 enables different applications, computing platforms and security systems to exchange user authentication information, so users do not have to re-enter their user names or passwords as they move from site to site within a Web portal.

If adopted by a broad range of security vendors, the standard could have implications for both businesses and federal agencies, according to industry experts.

"Federal agencies are rapidly getting into Web services, providing services through the Internet and intranets based on Web protocols," said James Kobielus, a senior analyst with the Burton Group, a consulting firm. "SAML enables single sign-on in a secure way."

"SAML is equally important to the federal government as well as the private sector," said Jahan Moreh, chief security architect at Sigaba Corp., a developer of secure messaging products.

Many technology requests for information recently issued by federal agencies involve the need for a way to securely exchange information between agencies and citizens. "This is where a standard like SAML becomes important, because it will allow users to authenticate at one place [an agency or Web site], and get services from another place" that has a trusted relationship with the agency or business, according to Moreh.

A key to the standard's success will be vendor adoption. So far, the standard, which will be ratified in November by the Organization for the Advancement of Structured Information Standards, is supported by all of the major identity and access management vendors, including companies such as Baltimore Technologies PLC, Entrust Technologies Inc., IBM Corp., Novell Inc., Netegrity Inc., Oblix Inc., RSA Security Inc. and Sun Microsystems Inc.

Microsoft Corp. is a major exception, opting instead to support the Kerberos authentication standard and its own Passport technology as core protocols in its .Net framework for Extensible Markup Language Web services.

Of the identity management vendors, Baltimore Technologies and Netegrity have released products that use the SAML 1.0 specifications.

Meanwhile, Sigaba last month received security validations from the U.S. and Canadian governments for its use of SAML and the Advanced Encryption Standard, as well as support for various public-key infrastructure technologies.

The National Institute of Standards and Technology and the Canadian Communications Security Establishment recently awarded Federal Information Processing Standards 140-1 validation to Sigaba's Gateway Version 3.0.20. That is the mandatory security requirement for systems used by all U.S. federal agencies.

Sigaba software resides between an organization's e-mail server and the firewall, encrypting outbound messages and decrypting inbound messages based on organization-defined policies. The software works with any authentication method and uses SAML to build a network of trust between organizations, Moreh said.

But SAML still faces hurdles, according to Kobielus. Currently, it only defines "a Web services protocol to support exchange of authentication and authorization decisions among affiliated security environments," Kobielus said. It doesn't yet define all the details needed for seamless Web single sign-on across vendors' products, he noted.

"There is much work to be done," Moreh agreed. SAML 1.0 emphasizes Web browser profiles, he added.

Few SAML-based products are currently on the market; however, the Burton Group anticipates there will be a "critical mass" of products for enterprises to use to start testing SAML-based interoperability by year's end.

***

A doorway to e-gov

Security Assertion Markup Language (SAML) 1.0 defines a standard way to exchange user authentication information across applications, systems and security infrastructures.

SAML takes advantage of protocols such as Extensible Markup Language and Simple Object Access Protocol. The standard defines request and response messages that security domains exchange when sharing user authentication and authorization information.

Basically, SAML enables a user to log on to a network or Web portal by using a password or Kerberos, a security system that authenticates users. The authentication decision and the context for that decision are sent to an affiliate Web site via SAML.