While there has been some consolidation, with Liberty and Oasis getting together to produce the now-approved SAML 2.0 specification, at this point, it appears that the WS-* is not going away any time soon.
Ping Identity Corp is stepping into the breach, announcing an early adopter beta program of a product that supports and translates SAML 2.0 tokens that is scheduled for release in Q1 next year. Ping is one of a number of players, from Reactivity to Forum, Sarvega, SOA Software, IBM, Microsoft and others, that have or are currently readying products that handle multiple tokens and security protocols.
Next week, Ping will demonstrate translation of SAML 1.1 and the Kerberos tokens heavily used in Microsoft products at the Burton Group’s annual Catalyst conference. Additionally, they are starting work on SAML 2.0 capability for at least one customer engagement.
The federated identity area has seen numerous standards, with SAML 2.0 having converged the previously separate SAML 1.1 and Liberty Alliance specifications.
The new spec made some significant patches. For instance, while SAML 1.1 supported single sign-on, it didn’t support single sign-off. And it lacked the ability to link different accounts maintained by the same user, a feature supported by Liberty. SAML 2.0 plugged those gaps, while eliminating the incompatibilities between both security models.
Meanwhile, the WS-* specifications took a much simpler approach, separating out the token, which states who the party is and to some extent what access privileges to which they are entitled, away from federation, where assertions are made.
Although Microsoft has been driving WS-* in conjunction with roughly a dozen partners, BEA, IBM, and VeriSign have straddled the fence, participating there and with SAML as well. The WS-* family has not been formally submitted to any standards body.
According to Eric Norlin, vice president of marketing for Ping, regardless of whether both factions come together or not, there is need for software that translates tokens because there are multiple varieties out there. In addition to tokens from legacy systems such as IBM’s 30-year-old RACF, other common variations include ACF, X.509 certificates, and XACML policies.
Categorizing federated identity as a tactical problem, Norlin claims that Ping customers are opting for the component’s point solution, which is far less broad and costly compared to offerings such as Tivoli Access Manager or CA’s Netegrity solutions.
According to Ron Schmelzer, analyst with ZapThink, security specs are all starting to converge.
In practice, a lot of the issues around spec collision [or] confusion will be going away very quickly. If companies want to implement SAML or WS-Security or both, they can now certainly do that, he said, adding that in the long run, the issue will come down to what WS-I, a cross-vendor group, does with their proposed Security profile. Wherever the WS-I goes (or doesn’t), so too will the industry. We’ll see if they have the guts to take a real stand on the disparate security and federated identity specs.
