In-Depth

Sun Enhances SAML with Sun ONE Identity Server

New identity server supports SAML extensions to boost network single-sign-on across multiple sites

• By Stephen Swoyer
• 01/22/2003

In itself, that’s not necessarily big news. After all, a number of vendors already ship SAML-compliant products.

But the new version of Sun ONE Identity Server is also among the first products designed to support the Liberty Alliance specification, which, among other features, defines additional extensions that augment the SAML standard’s capabilities, especially in scenarios that involve multiple heterogeneous domains.

SAML is an OASIS standard that describes an XML-based framework for interoperable authentication and authorization between independent networks. SAML advocates—which at this point include Sun, IBM Corp., RSA Security, Entegrity, and a host of others—argue that it enables a variety of Web-based security functions, including single sign-on (SSO) and role-based access control (RBAC), between sites hosted by different organizations.

According to James Kobielus, a senior analyst with consultancy Burton Group, SAML is a young standard by any measuring stick—OASIS officially approved SAML 1.0 in November of 2002—but for the most part, it gets the job done. “In the core SAML standard, you set up a federated trust relationship between two sites, a portal that authenticates you and your browser, and then you have another portal on the back-end.”

Where SAML 1.0 is currently stretched too thin, Kobielus suggests, is in facilitating SSO authentication and authorization services between multiple sites. Enter the Liberty Alliance specification. “Liberty goes beyond SAML, and defines how you can set up trust relationships among multiple domains, a circle of trust, to enable the same end result.”

Once users sign on to the Sun ONE Identity Server—or, theoretically, to any Liberty-enabled SSO environment—they should have access to the resources appropriate to their authorization level in the circle of trust, Kobielus says. “It’s transparent to the user. He won’t have to re-enter his user name or password if he wants to access [any of the resources in the circle of trust].”

John Barco, senior product marketing manager for Sun ONE, says the Liberty specifications built on top of the SAML 1.0 specification, which “provides primarily the underlying framework, the XML-based framework, for exchanging security assertions between different security authorities.”

Because of this, he says, ISVs and enterprise developers can customize their own applications by programming to the Sun ONE Identity Server’s SAML API. To that end, he confirms, Sun will also make available a SAML toolkit.

Beyond B2B integration efforts

By itself, Barco says, SAML enables integration scenarios that involve business-to-business security and authentication services between separate companies. He anticipates that the Sun ONE Identity Server and its Liberty-enhanced SAML underpinnings could be popular in IT organizations that are trying to facilitate SSO access to resources across different business units within the same organization. “Most people probably think [SAML] means a business-to-business context, but one of the first beta customers of our Identity Server 6 product, Wells Fargo…[is] using our SAML toolkit to bridge their various online banking applications, so that they can provide a layer on top, a consistent security model on the top of all of these banking applications.”

Barco suggests that companies that have been active in merging with or acquiring other companies are typically in need of an SSO solution to tie together their disparate authentication and authorization mechanisms. “If you look at an enterprise that’s done a lot of mergers or acquisitions, everyone has different authorization or authentication models, so an easy way to provide a bridge between all of these is the SAML and Liberty technologies.”