Using XML For Platform Security

Track: Large-Scale Architectures, Core Technologies

Audience Level: High Level/Technical view

Time: Thursday, November 17 14:00

Author: Gerald Beuchelt, Sun Microsystems, Inc.

Keywords: Enterprise Applications, Internet, Interoperability, Middleware, Web Services


The Security Assertion Markup Language (SAML) [SAML] has various capabilities to provide authentication, attribute and limited authorization information: Users that authenticate to a SAML Identity provider (either transparently or directly) receive an XML token that carries authentication and other information. This token can be used to authenticate against other services that trust the respective Identity Provider.

While SAML is typically being used for Web Single-Sign-On (SSO) scenarios, there is no principal restriction of SAML to such application. If a SAML assertion (or more generally speaking any XML security token or assertion) was presented appropriately to the authentication and authorization sub-system of an e.g. operating system, the token could be used for identity operations within the OS and its applications. .

The Generic Security Service (GSS) API [GSS-API] defines a generic token for binary security tokens. This token format can be used to transparently provide identity related information to a service provider within the OS. GSS-API technology is currently implemented to a varying degree in Windows and some brands of UNIX like e.g. Solaris. By defining a GSS-API binding for XML security tokens in general and SAML 2.0 Authentication Statements in general, one can start utilizing such tokens for platform-level authentication.