[announce] Security Assertion Markup Language (SAML) Ratified as OASISOpen Standard

[Carol Geyer <carol.geyer@oasis-open.org>]

Security Assertion Markup Language (SAML) Ratified as OASIS Open
Standard

Authentication and Authorization Standard Enables Single Sign-On for Web
Services

Boston, MA, USA; 6 November 2002 -- The OASIS interoperability
consortium today announced that its members have approved the Security
Assertion Markup Language (SAML) v1.0 as an OASIS Open Standard, a
status that signifies the highest level of ratification. SAML is an
XML-based framework for Web services that allows the exchange of
authentication and authorization information among business partners.
SAML enables Web-based security interoperability functions, such as
single sign-on, across sites hosted by multiple companies.

"SAML 1.0 is an important industry standard for federating diverse
security domains across Web services environments," said James Kobielus,
senior analyst at Burton Group. "SAML 1.0 supports secure interchange of
authentication and authorization information by leveraging the core Web
services standards of Extensible Markup Language (XML), Simple Object
Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors
of Web access management solutions have committed to SAML 1.0 and are
currently implementing the specification in their products."

"SAML lets companies implement single sign-on solutions that allow users
to visit various Web sites without being repeatedly challenged for
credentials," explained Joe Pato of HP, co-chair of the OASIS Security
Services Technical Committee. "In addition, SAML makes it possible to
include security information in documents used in business transactions.
This is particularly relevant for Web services, where security is
critical."

SAML incorporates industry-standard protocols and messaging frameworks,
such as XML Signature, XML Encryption, and SOAP. The specification can
be easily integrated in standard environments such as HTTP and standard
Web browsers. Likewise, other security environments can use SAML as an
authentication and authorization layer. SAML complements Web services
standards, such as SOAP, which lack inherent security features. The
OASIS Web Services Security Technical Committee, for example, is
profiling SAML as one of its set of security tokens.

"SAML allows vendors to interoperate for the benefit of their
customers," said Jeff Hodges, Sun Microsystems, co-chair of the OASIS
Security Services Technical Committee. "The standard is easily
implemented by companies in existing environments, and SAML-aware
security applications are already being introduced. Related security
initiatives, such as Liberty Alliance's Version One Specification, are
leveraging SAML in order to more quickly realize their goals."

The SAML OASIS Open Standard was developed by Baltimore Technologies,
BEA Systems, Computer Associates, Entrust, Hewlett-Packard Company,
Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security,
Sun Microsystems, Verisign, and other members of the OASIS Security
Services Technical Committee.

"Ratification as an OASIS Open Standard means that developers can deploy
SAML with confidence," said Karl Best, director of technical operations
at OASIS. "To attain this level of acceptance, SAML first completed an
extensive public review, was approved by the OASIS Security Services
Technical Committee, and demonstrated its readiness through multiple
implementations. Finally, SAML was reviewed and approved by the OASIS
membership as a whole. We congratulate and thank the members of the
OASIS Security Services Technical Committee for all their outstanding
efforts in advancing SAML as the newest OASIS Open Standard."

"SAML depends on the availability of authentication frameworks such as
PKI digital certificates," said Terry Leahy of Wells Fargo, chair of the
newly formed OASIS PKI Member Section. "We look forward to advancing PKI
for end-entity authentication and for supporting persistent digital
signatures conveyed through SAML assertions. Through SAML, PKI will
provide a foundation for secure Web services."


Support for SAML

"SAML represents a significant step forward in helping organizations to
strengthen their online business relationships by making it easier to
share authentication and authorization information across corporate
boundaries and security domains" commented Peter Doyle, Vice-President
Marketing with Baltimore Technologies. "Baltimore SelectAccess was
first-to-market with
SAML support earlier this year and Baltimore remains fully committed to
driving standards which can enhance online security while delivering
cost savings for organizations and a better experience for their users."

"By both simplifying and strengthening online authentication and
authorization, SAML will become a significant enabler of secure
eBusiness in an increasingly complex and interdependent online
environment," said Ron Moritz, senior vice president for eTrust security
solutions at Computer Associates. "As the leader in eBusiness security
software, CA will play a key role in promoting the SAML standard as we
incorporate it into our entire line of our eTrust identity management
and access control products."

"DataPower Technology sees open, easy to implement standards as one of
the major building blocks to the foundation and success of ebusiness. As
a member of OASIS, DataPower fully supports the advancement of SAML as
an XML-based standard for exchanging authentication and authorization
information to ensure that transmitted communications are secure," said
Steve Kelly, CEO at DataPower Technology, Inc.

"As one of the early founding members of the OASIS Technical Committee
on SAML, and a ongoing contributor to the specification's development,
we are gratified to see SAML ratified as an industry standard," said Ian
Curry, vice-president, chief marketing officer, Entrust, Inc. "We are
committed to continuing our support for SAML by incorporating the
standard into the Entrust Secure Web Portal Solution as well as our
growing Web Services portfolio."

"The standardization of security technology is essential for the
widespread adoption of Web services. Fujitsu is pleased with the
announcement that SAML has become an OASIS Open Standard," said Seigo
Hirosue, General Manager, Project-A XML, Fujitsu Limited. "As a leading
provider of Internet-focused information technology solutions for the
global marketplace, Fujitsu has been committed to facilitating standard
technologies. The future version of the Interstage software product -
Fujitsu's eBusiness infrastructure - will support the new SAML
Standard."

"Hitachi Ltd. sincerely welcomes SAML as an OASIS Open Standard," said
Kiyoshi Kozuka, General Manager, Software Division, Hitachi Ltd. "We
believe that SAML is a core technology leading to the implementation of
secure and interoperable Web services, and it encourages growth of the
Web services market. We will adopt SAML 1.0 to implement our Web
services products and will actively take part in further OASIS
standardization efforts."

"SAML and other security standards such as WS-Security allow customers
to expand Web services beyond the firewall and integrate business
processes securely with suppliers, partners and customers, which
ultimately allows our customers to tap into new markets and revenue
chains," said Arvind Krishna, vice president of security products,
Tivoli Software, IBM.  "Through the federated identity interfaces
currently available in our software and upcoming SAML support, IBM
provides a way for Web services and enterprise applications to share
identity information across multiple networks."

"Netegrity, in cooperation with its partners, has been working on SAML
for over two years, and we are very excited that it is now officially an
OASIS Open Standard," said Deepak Taneja, chief technology officer at
Netegrity. "Netegrity was one of the first vendors to provide SAML
support within its products, SiteMinder and TransactionMinder, enabling
customers to quickly
and cost effectively securely exchange user information across partner
sites and within Web services."

"The final acceptance of the SAML standard by OASIS is a huge step
towards accelerating the interoperability of security systems for
enterprises around the world", said Nand Mulchandani, co-founder and
CTO, Oblix. "Oblix has many customers who are on the forefront of
implementing SAML in their organization because they have a need to
access and transport security information between disparate systems.
Oblix NetPoint, our Web access and enterprise identity management
solution, is fully SAML-ready and available to support customers today."

"Quadrasis is pleased to sponsor and support the OASIS SAML Technical
Committee said Don Flinn, Quadrasis Chief Security Architect. "This
XML-based security standard for exchanging authentication and
authorization information is core to our Quadrasis EASI Security
UnifierTM, a visionary solution to solve Enterprise Application Security
Integration (EASI) across the multiple tiers, platforms, and security
components of the enterprise. We look forward to continuing our efforts
to advance the WS-Security and SAML specifications."

"RSA Security strongly embraces industry standards as a means of
delivering better value and investment security to our customer base,"
said John Worrall, vice president of worldwide marketing at RSA
Security. "As an early and active participant in the SAML effort, we're
pleased to see it reach OASIS Open Standard status and are already
supporting it in our products and in live production environments. SAML
is a core element of our vision for enabling Trusted Identity and Access
Management--a vision that is helping organizations better utilize
identity information for greater productivity and higher security."

"Since customers are recognizing security more and more as a vital and
high priority issue for professional e-business software, SAP has been
supporting the development of SAML as an Internet standard for the
exchange of authentication and authorization policies across platforms
and enterprise boundaries. SAML contributes a significant piece to the
standards stack in the evolving Web services space," said Sinisa Zimek,
Director Technology Architecture & Standards for SAP.

"As one of the leading developers of Web services-enabled integration
solutions and an active supporter of OASIS, Sybase is excited to learn
that SAML has been approved by this standards body," said Billy Ho,
senior vice president and general manager of Sybase's e-Business
Division. "By ensuring the security of XML-based transactions and
interactions, SAML will help
make Web services usable to all enterprises.  Sybase will use SAML
extensively to support next-generation security framework in our current
and future service oriented architecture (SOA) offerings."

"By serving as the 'lingua franca' for myriad authentication approaches,
we expect the SAML standard to have a major impact on the broader Web
services security arena," said Don Adams, Principal Architect, Office of
the CTO, TIBCO Software Inc.


About OASIS (http://www.oasis-open.org)

OASIS (Organization for the Advancement of Structured Information
Standards) is a not-for-profit, global consortium that drives the
development, convergence, and adoption of e-business standards. Members
themselves set the OASIS technical agenda, using a lightweight, open
process expressly designed to promote industry consensus and unite
disparate efforts. OASIS produces worldwide standards for security, Web
services, XML conformance, business transactions, electronic publishing,
topic maps and interoperability within and between marketplaces. OASIS
has more than 500 corporate and individual members in 100 countries
around the world.


For more information:

Carol Geyer
Director of Communications
OASIS (www.oasis-open.org)
carol.geyer@oasis-open.org
+1.978.667.5115 x209