RSA Adds SAML Support to Web Single Sign-On Solution

ClearTrust 5.0 takes on a new standards-based look

• By Matt Migliore
• 11/06/2002

The new release is designed to allow companies to secure and manage user identities and access privileges for Web single sign-on. Some experts believe it shows RSA is making an effort to position itself as a viable alternative to other significant vendors in this space.

Ted Kamionek, a senior product manager for RSA, says one of the key goals of the new release was to improve ClearTrust’s graphical user interface. “[We] spent the last year doing a lot of usability studies and a lot of testing to make the GUI much easier to [navigate].”

According to Kamionek, the ClearTrust GUI now mirrors typical Web navigation, and allows users to personalize content and make user-specific data available through Web-based applications.

The product also boasts increased interoperability, says Kamionek, noting the addition of support for SAML 1.0 provides an XML framework for exchanging authentication and authorization information both within an enterprise and among business partners.

In addition, ClearTrust now supports the Java Authentication and Authorization Service, which gives the product more flexibility to authenticate and enforce access controls upon users in Java environments.

Regarding SAML specifically, Kamionek believes RSA, as one of the early adopters of the specification, will have an opportunity to guide its development. At this point, SAML is still very much a leading-edge technology that hasn’t yet received much use in live implementations. Kamionek is confident SAML will be a vital technology in the future, making it easier for companies to authenticate transactions between themselves and their partners.

Furthermore, Kamionek feels RSA is the perfect advocate for SAML based on its strong record for developing standards. He cites the company’s contributions to the development of PKI, and the work Securant Technologies—a recent acquisition by RSA—did to build the popular SSL specification, as proof of RSA’s solid reputation in the area of standardization.

“We have a history of developing standards and making standards real,” says Kamionek.

Earl Perkins, an analyst with IT analyst firm Meta Group, says RSA has been active on the standardization front. But, he says, RSA’s record for developing successful standards is somewhat questionable. “RSA has a long history with trying to make standards real, with mixed results. RSA is as much about acquisition as innovation, though it has contributed to standards efforts in the past. The most notable [of those are] in the world of PKI, [and they] have not been as widely adopted as everyone would like. I think the name recognition they bring to the SAML adoption rate is significant. But there are a lot of players paying lip service to SAML—the real acid test is in the actual implementation.”

Perkins is optimistic, however, about the prospects for SAML, both from an overall standards perspective and from RSA’s perspective. “SAML isn't being considered for use on a widespread scale at present. [RSA’s support of it] is a gesture that will bear fruit in a couple of years,” he says. “What SAML support does indicate is that RSA appears serious about playing in the ‘multi-enterprise’ or federated environment for identity authentication.”

Overall, Perkins feels the enhancements RSA is promising with ClearTrust can put it on par with other vendors in this space, namely Tivoli and Netegrity.

“If RSA delivers on the feature set described and aggressively markets [it], they have a chance at reclaiming the space that I think a product like ClearTrust deserves,” says Perkins. “Unfortunately, that market is maturing rapidly on the web single sign-on side and is starting to branch out across the identity management space now. This is an area where RSA will face significant challenges.”

ClearTrust is compatible with most Web servers, application servers and enterprise applications, such as SAP and PeopleSoft. It includes a set of APIs for customizing the product to work with other applications.