My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, January 27, 2008
« Upgrading to HDTV | Main | ESB in a SOA Infrastructure »

I recently got an e-mail asking about a blog entry I had made back in 2005 regarding Identity Federation, SAML and WS-Federation, and if I had attained any measure of clarity regarding their usage since that time. Since this is something I have been spending a bit of time on recently, it seemed like the perfect opportunity to talk about this.

When I wrote the original blog post, I phrased it as a competitive situation. I have since moved on from that position and consider them to be be complementary approaches, each with strengths in certain areas. An Enterprise that is looking at an IdM implementation should be seeking to leverage the strengths that each camp brings to the table.

As of November, 2007, SAML 2.0 is an OASIS standard and can be considered a combination of the features of SAML 1.X, Liberty Alliance Identity Federation Framework and Shibboleth.

The other camp one should be looking at in the area of Identity Federation is the OASIS Web Services Secure Exchange (WS-SX) family of standards which include WS-Trust, WS-SecureConversation and WS-SecurityPolicy.

The area of contention between the two camps all too often arises when it comes to the domain of browser-based Single Sign-On. This has historically been the playground of SAML but now the new kid on the block is WS-Federation which describes how to use WS-Trust for browser-based Single Sign On scenarios. WS-Federation is currently going through the standardization process at OASIS.

My perspective on both starts with the basic fact that SAML assertions are universal and can be used independently of the SAML protocol. I also very much like the capability that is provided by the WS-Trust based Security Token Service (STS) which provides the ability to translate token formats.

SAML has great deal of traction in the browser based federation arena while WS-SX targets securing web services. Given that SAML assertions are supported by a wide variety of IdM and SOA infrastructure products such as WAM products, WSM products, XML Security Gateways and more, my approach to dealing with interoperability concerns in this area (until the vendor camps work this out) will be to use products and technologies that bridge the gap by supporting both camps.

Tags:: Security
1/27/2008 9:24 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.