Information Management

SAML: The Secret to Centralized Identity Management

Complicated by too many systems, too many applications, and too many passwords, identity management is a major headache for most organizations. Can an intelligent, Web-services approach employing new standards ride to the rescue?


Cohen, F. "Debunking SAML Myths and Misunderstandings," IBM Developerworks Web site,SAML Myths developerworks/xml/library/x-samlmyth.html?Open&ca=daw-se-news

"Who Are You?" Sept. 1, 2003

Security Assertion Markup Language (SAML) committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

Electronic Authentication Partnership (EAP)

Jericho Systems

RSA Security





OASIS, SAML information

Vendor Trends in Identity Management

Identity management is a complex issue. It includes password maintenance, provisioning management, and access-control management. This article focuses on a portion of identity management that is greatly facilitated by SAML, specifically role-based access control (RBAC). An increasing number of vendors support RBAC, which allows administrators to manage access-control lists more simply because users are grouped by categories or roles. Managing access-control lists for a few roles is simpler than managing lists for a few hundred users.

This article discusses an implementation with Jericho Systems' EnterSpace. Here's a short list of other prominent vendors:

Entegrity offers the SAML-based product, AssureAccess. This Java-based access management software protects portals and Web services access. The product includes LDAP-based authentication, single sign-on, authorization, audit, user management, and security policy administration out of the box.

Entrust's Secure Identity Management Solution has modular access management and identity management components that can be mixed and replaced to support user requirements. Entrust's SAML-based GetAccess centralizes security management to provide a common infrastructure to manage user identities and enable authentication and authorization across multiple applications.

IBM (along with ActivCard, Bioscrypt, ImageWare, and VeriSign) has announced a new Identity Management Portfolio designed to help organizations protect their information resources by incorporating additional layers of authentication and authorization into everyday business processes. The IBM collaboration simplifies identity management and reduces overall cost by offering a unified system that protects a wider range of identity management systems, from data, computers, and networks to employee badges, door locks, and security cameras.

The Identrus System standardizes digital identity authentication so that financial institutions can provide online services to their customers. The Identrus System enables global financial institutions to build trusted interrelationships that offer third-party services to their business customers.

Intrusic focuses on internal threats from hackers within the firewall. Its product, Zephon, identifies compromises to internal security by using a multilevel analysis architecture, which highlights inconsistencies in internal information flow. The assumption is that internal attacks create exception conditions in normal network operations and that these exceptions can be tracked and shut down. Zephon locates these exceptions by analyzing the environment, host, session, and packets of an information flow interaction.

Netegrity's Siteminder offers access management tools with role-based access control. The company's TransactionMinder is a full identity management and access management package that offers out-of-the-box SAML-based policy management security for Web services. SAML is modeled after Netegrity's work in XML-based security for authentication and authorization, defined in the Security Services Markup Language specification. (Note: In October 2004, Computer Associates announced that it would acquire Netegrity.)

CORE and Netpoint systems from Oblix cover various facets of identity management. COREid supports identity management and policy management with integrated provisioning, access-control, and compliance-reporting packages. COREsv 4 is an enterprisewide Web services security and management deployment package, which includes COREid. The company's NetPoint is a SAML implementation for single sign-on that has been used by Southwest Airlines and the U.S. Navy.

RSA Security
RSA offers a variety of products related to identity management. RSA's ClearTrust is a rules-based platform that provides the capability for Web access management, supported by a centralized policy management function. The use of SAML in ClearTrust provides better identity management, authentication, and single sign-on across organizations. RSA is a strong supporter of SAML. It recently granted royalty-free access to two key patents involved in SAML technology.

Sun Microsystems
Sun ONE Identity Server uses SAML to support an out-of-the-box specification called "Liberty Alliance." This provides identity management and includes access management, identity administration, and enforcement of authentication and access policies. — Hank Simon

Hank Simon, a member of W3C and OASIS, leads the Web Services Technical Advisory Group, which is a 100 person, cross-line business team of Web services/SOA strategists, architects, developers, and implementers. Simon has been designing and developing IT architectures for 27 years. He has published more than 100 articles and six books on XML, Web services, and advanced technologies.