SAML v1.1 Ratified as OASIS Standard

["Carol Geyer" <carol.geyer@oasis-open.org>]

Security Assertion Markup Language--SAML--Version 1.1 Ratified as OASIS
Standard

Baltimore Technologies, BEA Systems, Computer Associates, Entrust,
Hewlett-Packard, Netegrity, Oblix, OpenNetwork, Reactivity, RSA
Security, SAP, Sun Microsystems, Verisign, and Others Collaborate on
Authentication and Authorization

Boston, MA, USA; 22 September 2003 -- The OASIS standards consortium
today announced that its members have approved the Security Assertion
Markup Language (SAML) version 1.1 as an OASIS Standard, a status that
signifies the highest level of ratification. SAML provides an XML-based
framework for exchanging authentication and authorization information,
enabling single sign-on--the ability to use a variety of Internet
resources without having to log in repeatedly.

"SAML has gained widespread industry adoption as a basis for federated
identity and security environments," said James Kobielus, senior analyst
at Burton Group. "Clearly, SAML is a living, evolving standard, and
OASIS has, with the new version 1.1, incorporated changes that reflect
real-world experience with SAML version 1.0."

According to Prateek Mishra of Netegrity, co-chair of the OASIS Security
Services Technical Committee, "Prior to SAML, there was no XML-based
standard that enabled exchange of security information between a
security system (such as an authentication authority) and an
application. SAML provides a way to specify authentication, attribute,
and authorization decision statements. It also specifies a Web
services-based request/reply protocol for exchanging these statements."

"The SAML 1.1 standard introduces important enhancements that improve
its interoperability and utility to other Web services security efforts
in the industry. This can be seen through the adoption of SAML 1.1 as a
foundation for the Liberty Alliance's Identity Federation Framework, the
implementation of SAML 1.1 by the Internet2/MACE Shibboleth project, and
the development of a SAML profile by the OASIS Web Services Security
(WSS) Technical Committee for using SAML with WS-Security," added Rob
Philpott of RSA Security, co-chair of the OASIS Security Services
Technical Committee. "The growing participation of OASIS member
companies in SAML's development and our committee's increasing
collaboration with other security-related standards groups demonstrate
the value of OASIS SAML standardization to the industry."

Liberty Alliance Management Board president, Michael Barrett, also vice
president of Internet Strategy at American Express, commented,
"Collaboration between standards organizations is critical to industry
momentum and to ensure new technologies like single sign-on and Web
services succeed. Organizations looking to benefit from these new
technologies need access to proven, interoperable, and secure standards
that they can build on for the next new technology. Open standards like
SAML and Liberty's specifications have been proven to meet that need."

Members of the OASIS Security Services Technical Committee include
Baltimore Technologies, BEA Systems, Computer Associates, Entrust,
Hewlett-Packard, Netegrity, Oblix, OpenNetwork, Reactivity, RSA
Security, SAP, Sun Microsystems, Verisign, and other security software
vendors, financial institutions, government agencies, and academia.


Industry Support for SAML 1.1

Baltimore Technologies
"Baltimore welcomes the completion of SAML 1.1 as an important
building-block of the security services infrastructure that will
underpin the emerging service oriented computing landscape," said
Patrick McLaughlin, CTO, Baltimore Technologies.

BEA Systems
"SAML 1.1 continues the evolution of this key standard for interoperable
exchange of security information in federated environments," said Ed
Cobb, Vice President, Architecture and Standards, BEA Systems, Inc
(NASDAQ: BEAS). "We are pleased at the growing industry support for SAML
to secure information access and to enhance user experiences in
service-oriented environments."

Computer Associates
"Managing the identities of users outside the enterprise has become as
integral to business enablement as managing the identities of internal
users," said Bilhar Mann, director of eTrust identity and access
management solutions at Computer Associates. "The SAML OASIS Standard
will play an instrumental role in enabling identity management beyond
the enterprise. It will also enable users of CA's SAML-compliant, eTrust
identity and access management solutions to more readily apply corporate
management and security policies to systems that touch customers and
supply-chain partners."

Confluent Software
"The approval of SAML 1.1 as an OASIS Standard is an important step
towards broader adoption of standards-based authentication and
authorization solutions," said Sekhar Sarukkai, Vice President of
Technology & Co-Founder of Confluent Software. "As a Web services
management vendor supporting SAML in many customer engagements, we
believe that the several important extensions in SAML 1.1 will help
accelerate the deployment of secure, standards-compliant Service
Oriented Architectures."

DataPower Technology
"The release of the 1.1 specification is a testament to the advancement
for Web services deployments and the demand for pragmatic, interoperable
solutions for Web services security," said Rich Salz, Chief Security
Architect at DataPower Technology Inc. "The fact that much of SAML 1.1
is based on feedback from the 1.0 user community shows that SAML is
being deployed and is meeting real-world needs. We look forward to
increased adoption and evolution."

Entrust
"As one of the early founding members of the OASIS Security Services
Technical Committee and an ongoing contributor to SAML's development, we
are happy to see its advancement in the industry as a standard for
identity federation," said Tim Moses, Director of Advanced Security
Technology, Entrust, Inc. "We are seeing increasing interest in the
marketplace around SAML and are committed to continuing our support for
the OASIS Standard through Entrust's broad portfolio of security
solutions for Web Portals, Identity Management, and Web Services."

Hitachi
"Hitachi welcomes the enhancement of the SAML OASIS Standard," said
Takao Nakamura, General Manager, Network Software of Hitachi, Ltd.,
Software Division. "We believe that SAML 1.1 will be an integral part of
a secure Web services environment. We plan on adopting this standard for
our Web services products in the future.

OpenNetwork
"As security technologists and active participants in OASIS, we are
excited that SAML 1.1 has become an OASIS Standard," said Bob Worner,
vice president of product engineering at OpenNetwork. "We look forward
to continued work and standards development and to delivering these
technologies to our customers for more secure and cost effective
identity management across disparate corporate boundaries."

Netegrity
"We are very pleased with the significant traction that SAML has
received and the enhancements in the 1.1 release of SAML incorporate
what has been learned in those deployments," said Deepak Taneja, CTO at
Netegrity. "Utilizing the SAML support within Netegrity's identity and
access management solutions companies are able to realize the benefits
of flexible federation models."

Reactivity, Inc.
"Reactivity is pleased to support SAML 1.1 as an OASIS Standard. The
Reactivity XML Firewall™ incorporates support for the SAML Token Profile
for Web Services to provide out customers with interoperable
authentication credentials for securing XML and Web Services. SAML 1.1
incorporates feedback from actual production deployments of SAML, which
attests to the strength of the standard in solving real-world problems
and delivering rapid business results," said John Lilly, VP and CTO,
Reactivity, Inc.

RSA Security
"RSA Security is firmly committed to industry standards that help our
customers to be more productive, enjoy greater interoperability, achieve
new business opportunities, and realize a strong return-on-investment
across their infrastructure," said Jason Lewis, Vice President of
Product Management and Marketing at RSA Security. "We have been involved
with SAML from its inception, contributing core intellectual property
and technical expertise to guide its development, and we are pleased
with the progress that is reflected in version 1.1.  We support version
1.1 in the latest release of RSA ClearTrust software and look forward to
helping more of our customers capitalize on federated identity
management."

SAP
"The area of security poses a real concern for companies assessing their
web services strategy," said Sachar Paulus, Director of Product
Security, SAP. "Now that SAML 1.1 has achieved OASIS ratification as the
industry standard for security assertions, e.g., for delegating
authentication and authorization decisions to central, federated
Identity and Access Management solutions, a major aspect of the security
architecture of a Web services-based landscape is addressed. SAP already
supports SAML 1.0 with its current NetWeaver release for Single Sign-On
purposes and is committed to use SAML 1.1 as a cornerstone for achieving
the needed security of SAP's Enterprise Service Architecture."

Sun Microsystems
"Sun continues to be committed to supporting SAML as it provides an
essential framework for delivering secure, identity-enabled Web
services," said Stephen Pelletier, vice president, Network Identity,
Communication and Portal Products. "SAML is a key part of the Liberty
Alliance's federated identity management initiatives, further
demonstrating its significant value
and market adoption.  Sun is committed to supporting SAML version 1.1 in
our market-leading, Liberty-enabled Java System Identity Server early
next year."


About OASIS (http://www.oasis-open.org):
OASIS (Organization for the Advancement of Structured Information
Standards) is a not-for-profit, global consortium that drives the
development, convergence, and adoption of e-business standards. Members
themselves set the OASIS technical agenda, using a lightweight, open
process expressly designed to promote industry consensus and unite
disparate efforts. OASIS produces worldwide standards for security, Web
services, conformance, business transactions, electronic publishing,
topic maps and interoperability within and between marketplaces. Founded
in 1993, OASIS has more than 2,000 participants representing over 600
organizations and individual members in 100 countries.

OASIS Security Services Technical Committee:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

Press contact:
Carol Geyer
Director of Communications
OASIS (www.oasis-open.org)
carol.geyer@oasis-open.org
+1.978.667.5115 x209