11:35 AM

Extra Layer: Web-services Standard To Support Security

Web services, for all the great press they get, have one constant rap against them: a lack of inherent support for security. That's because there are no provisions built into Web-services standards to secure transactions.

The Security Assertions Markup Language promises to address this need by providing a security layer that functions on top of Web services. SAML is an XML-based framework that associates information about security policies with a specific user or machine. Its bindings let it work with the Simple Object Access Protocol, the communication protocol used by Web services.

Here's how a SAML-based transaction works: A Web service receives a request, typically from another application or a portal server. A request is sent to another application, which returns an SAML-based response that contains data on what authentication and authorization is needed. Based on the SAML message, the Web service will use application logic to execute the service, return an error, or request additional information.

This all works only if Web services have SAML capability built into their framework. Ideally, platform vendors will provide this functionality as part of their Web-services environments. But SAML hasn't yet been widely adopted. Another innovative approach is to intercept traffic destined for Web services and use SAML-based assertions to validate a request before the Web service receives it.

Because SAML is a standards-based approach, vendor-product implementations most likely will interoperate. One of the initial practical uses for SAML is to provide single sign-on capabilities, freeing users from having to remember passwords for multiple systems.

The SAML 1.0 specification has just been approved by the Oasis group, which has overall responsibility for the standard. Other initiatives are under way on related projects that use SAML as a key underpinning.

The Liberty Alliance Project, an initiative that includes IT vendors and buyers and seeks to provide distributed identity-based products and services, employs SAML as a core enabling technology in its architectural specifications.

Sidebar to: Chart A Plan For Security

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.