IoT
Feature
News
11/22/2002
11:35 AM
50%
50%

Extra Layer: Web-services Standard To Support Security

Web services, for all the great press they get, have one constant rap against them: a lack of inherent support for security. That's because there are no provisions built into Web-services standards to secure transactions.

The Security Assertions Markup Language promises to address this need by providing a security layer that functions on top of Web services. SAML is an XML-based framework that associates information about security policies with a specific user or machine. Its bindings let it work with the Simple Object Access Protocol, the communication protocol used by Web services.

Here's how a SAML-based transaction works: A Web service receives a request, typically from another application or a portal server. A request is sent to another application, which returns an SAML-based response that contains data on what authentication and authorization is needed. Based on the SAML message, the Web service will use application logic to execute the service, return an error, or request additional information.

This all works only if Web services have SAML capability built into their framework. Ideally, platform vendors will provide this functionality as part of their Web-services environments. But SAML hasn't yet been widely adopted. Another innovative approach is to intercept traffic destined for Web services and use SAML-based assertions to validate a request before the Web service receives it.

Because SAML is a standards-based approach, vendor-product implementations most likely will interoperate. One of the initial practical uses for SAML is to provide single sign-on capabilities, freeing users from having to remember passwords for multiple systems.

The SAML 1.0 specification has just been approved by the Oasis group, which has overall responsibility for the standard. Other initiatives are under way on related projects that use SAML as a key underpinning.

The Liberty Alliance Project, an initiative that includes IT vendors and buyers and seeks to provide distributed identity-based products and services, employs SAML as a core enabling technology in its architectural specifications.

Sidebar to: Chart A Plan For Security

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.