27 February 2005

Debunking SAML myths

Debunking SAML myths and misunderstandings discusses SAML (Security Assertion Markup Language), and some common misundersandings and myths about SAML. A good read for anyone interested in digital identity using web technologies.

Myth: SAML is an authentication authority
SAML is an authentication protocol that is used between servers. You still need something that actually performs the login for you. All SAML can say is "you have logged in." For example, when an LDAP server authenticates a user, the authentication authority is the LDAP server even though the LDAP server may be using SAML to communicate the authorization.

In a complete authentication system, you still need to write a policy decision point to decide if a user may access a Web page. Additionally, you still need to write a policy enforcement point. This is a servlet or application that receives the authorization, checks the role and authorization, and then makes an assertion. Several companies provide commercial policy decision point and policy enforcement point solutions, including IBM.

Posted by mofoghlu at February 27, 2005 7:53 PM | TrackBack