Sun, Microsoft Could Align Security For Web Services
There is growing hope that 'Liberty Alliance' and 'WS-Security' security plans will soon be interoperable. See why.
Common ground is emerging between the Sun-Novell-RSA Liberty Alliance, which uses the SAML standards and the WS-Security framework proposed by Microsoft-IBM-Verisign.
And more important than the politics to developers, both groups are supplying technologies, specifications and test implementations to show that interoperability for end-to-end web service security may just be a reality - perhaps, even, by the end of the year.
Last week, Sun and the Liberty Alliance Program released Version 1.0 of their specification for implementing web services-based single sign-on. Liberty's 1.0 specifications attempt to outline a number of key single sign-on features, including: the ability for a user to link accounts held by different service providers, and to authenticate, communicate and log-out across these accounts.
The Liberty 1.0 spec is based on SAML (Security Assertion Markup Language) from the Organization for Advancement of Structured Information Standards (OASIS), and uses an XML framework for exchanging authentication and authorization information.
Microsoft Finds Merits in SAML Support
With the release of Liberty 1.0, Microsoft execs told Integration Developer News that they are planning to support SAML within WS-Security. "Last week we talked about how we would think about SAML. WS-Security will look at Liberty and SAML as just another credential type, and we expect to have support in WS-Security this year," Adam Sohn, a product manager for Microsoft .NET platform strategy group told IDN.
Notably, OASIS now manages the standards proceedings for both SAML and WS-Security, as the group has also formed a technical committee to push WS-Security standards. Read more on the scope of the OASIS commiteee here. This factor will no doubt hasten whatever agreements can be made between Liberty and WS-Security.
"OASIS is setting us up for success," Sohn said, "Members of the OASIS security committee want to see all of our work reconciled, and we want to see SAML token support in WS-Security." Sohn added that WS-Security's decision to support SAML (and Liberty) will not prompt WS-Security to "downplay" plans to support a variety of security mechanisms already at work within the enterprise, including PKI, Kerberos and even SSL.
For more on the prospective agreement between WS-Security and SAML, the UK's The Register provides a nice summary of the announcements made during the Burton Group Catalyst 2002 Conference in San Francisco.
Where Liberty and WS-Security Meet
Liberty 1.0 specifications propose a single-sign-on approach for enabling end-to-end business transactions between enterprises. It is a machine-to-machine authentication scheme, which means The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so that the identity of the user is safe.
The Liberty proposed functions include:
For its part, WS-Security's proposal for authentication is to support a wide variety of credential types, including Kerberos, PKI and even SSL. And, now that WS-Security has been transferred into the standards community at OASIS, Sohn said he expects rapid progress on WS-Security's ability to support SAML, once that standard is set by OASIS.
There are other signs of hope for cooperation between rivals: WS-Security is developing an SAML binding, and during the recent Burton Group conference on security, WS-Security engineers demonstrated the ability to move SAML-based assertions within a WS-Security envelop.
But WS-Security will not limit itself to SAML. Since its inception earlier this year, IBM and Microsoft intended WS-Security to provide a modular approach to an overall security framework, of which authentication is one module.
Other proposed areas where WS-Security envisions a web services security framework include:
Microsoft's Sohn wouldn't comment on a specific date when these added WS standards might be out for formal public review, but he did say that he expects Microsoft will have first implementations and support for WS-Security in the .NET Framework by year's end.