SAML: New Identity-Sharing Standard Builds On Trust
SAML lets Southwest mechanics log on to Boeing's portal and access electronic versions of repair manuals using the same logon information they use when signing on to Southwest's systems.
Southwest Airlines Co. and Boeing Co. are flying together in an ambitious Web initiative to give Southwest mechanics easier access to Boeing's electronic aircraft maintenance documentation. In the process, they're providing one of the first real-world tests of the new Security Assertion Markup Language to pass identity and access information from one company to another.
SAML lets Southwest mechanics log on to Boeing's portal and access electronic versions of repair manuals using the same logon information they use when signing on to Southwest's systems. That could offer a blueprint for business-to-business single-sign-on initiatives.
To keep its fleet of more than 380 Boeing 737s flight-ready, many of Southwest's 1,300 mechanics need to access Boeing's technical documents, which are available through the aircraft maker's Web portal, MyBoeingFleet. But Boeing wanted each Southwest mechanic to remember a separate user name and password to access the documentation. Barry Smithley, manager of maintenance programs for Southwest, worried that mechanics would forget the passwords. "The documents had to be easy to access," he says.
Last year, Southwest began deploying NetPoint, an identity-management application from security vendor Oblix Inc., for internal employees to log on. Because NetPoint and Boeing's systems support SAML, Brian Buege, Southwest's manager of applications frameworks, says the companies saw a way to bypass the separate logon IDs and passwords. "What we were going to do is build upon the implicit trust that has existed between our organizations for a long time," he says. "For Boeing to agree that it would accept that people logging in from our domain are who we say they are is a big statement of trust on their part."
Boeing, Southwest, and Oblix began deploying the system, which now supports 300 mechanics, several months ago. When they log on to the Southwest site using their Southwest credentials, users get encrypted, SAML-ready cookies. When mechanics need to access Boeing documentation, they click on links in Southwest's portal. Then a digitally signed SAML "assertion," which contains data about the mechanic and what he or she can access, is created. The assertion is sent to and vetted by Boeing's system for access to the requested manuals.
For Southwest, it's less likely that a repair will be delayed because of forgotten passwords. Says Smithley: "That's a sad excuse for not getting an airplane to the gate on time."