Identifying Identity and Access Management Standards


In recent posts, I mentioned the SAML and WS-Federation standards. Since these are the prevailing industry standards, I think that it's important that we discuss them to gain a firm understanding of what they are, who developed them, and why they are important.


SAML is the Security Assertion Markup Language. It addresses the problem of exchanging authentication and authorization of data between an identity and service provider. Specifically, SAML allows businesses to make assertions about the identity of users to other companies or applications. SAML is a product of the Organization for the Advancement of Structured Information Standards (OASIS). The original SAML version 1.0 was released in November 2002. The latest version is version 2.0, which was released in March 2005.


WS-Federation is an Identity Federation specification developed by a consortium of vendors including BEA, BMC, CA, IBM, Layer 7, Microsoft, Novell and VeriSign. This standard allows the brokering of trusts, identities, attributes and authentication between participating Web services. The original standard was published in 2003. The current standard, version 1.1 was released in 2006.


Although I did not mention this standard in my original post, the Liberty Identity Federation Framework (ID-FF) is an important standard. ID-FF is part of the Liberty Alliance Project. The standard is based on trusts and relationships between businesses and federated user accounts. The latest standard, version 1.2, was released in 2005.


I have presented a lot of information for you to sort through here. Keep in mind when looking at identity and access management products that it's not the standard that's important. What is important is that the product is based on a standard.