Agreement concerning partial support of the SAML 2.0 standard
In 2006 the National IT and Telecom Agency sent an inquiry to
Microsoft with an appeal for support of the open SAML 2.0 standard in
Microsoft’s products.
This happened partly due to a wish to force the integration costs
down by utilizing the same open standards for integration - and partly
because the specification WS-Federation, that Microsoft uses is not
interoperable with the common public recommended SAML 2.0 federation standard.
The ongoing dialog between the National IT and Telecom Agency and
Microsoft has resulted in an agreement on partial support of the SAML
2.0 standard in Microsoft’s forthcoming version of their federation
product named Active Directory Federation Services 2.
The text agreed upon is as follows:
“The Danish public sector has chosen SAML 2.0 as their federation
standard. Microsoft products use WS-Federation and WS-Trust as the
foundation of their federated identity architecture. The Danish
government has agreed that the SAML 2.0 token format is sufficient to
provide basic interoperability between WS-Federation and SAML 2.0
environments as a common assertion format, without loss of
authentication integrity.
To support interoperability between WS-Federation and SAML 2.0 based
products Microsoft has agreed to support the SAML 2.0 token format in
the future release of Active Directory Federation Services code-named
Active Directory Federation Services "2". Microsoft will
provide the Danish public sector Centre of Service Oriented
Infrastructure with pre-release code to help analysis and planning of
solutions for integrating WS-Federation-based clients in the Danish
federation, and to collect feedback on the feature implementation.
In addition, the co-authors of WS-Federation (including Microsoft)
have submitted the specification to OASIS for standardization. This
step further enables interoperability between federated environments
that deploy SAML 2.0-based products and those that deploy
WS-Federation-based products.”
With this agreement a possibility for inclusion of Microsoft based
clients in a common public SAML 2.0 based federation has opened.
The integration will require the standard based login solutions to be
expanded with a special integration code. The solution is therefore a
pragmatic tactical integration solution, but with the above-mentioned
partial SAML 2.0 support from Microsoft it is expected that the
integration can be done without influencing the individual “Microsoft
Active Directory Federation Service” user organizations.
To illustrate which elements in the Danish public sector federation
the agreement affects below is shown the elements in the initial
federation, scheduled to go live in the beginning of 2008 as well as
the planned extension where the goal is to provide for login through
WS-Federation as well.
In the initial federation Service Providers, Identity Providers and
associated Attribute service must conform to the SAML 2.0 standard.
A set of phases with further development of the federation is
planned. One element in this is to allow for “outsourcing” login to
the user’s local organisation using SAML 2.0 or WS-Federation.
In the planned extension information about login and e.g. roles can
be sent from the users local organisation to the Identity Provider
using SAML 2.0 or WS-Federation.
The existing elements in the federation being Service Providers,
Identity Providers and associated Attribute service must still conform
to the SAML 2.0 standard.
More information on the concrete possibilities will be published as
the National IT and Telecom Agency’s Centre for Service Oriented
Infrastructure receives pre-release code from Microsoft that can be
integration tested.
It is still desired, that Microsoft support all of the SAML 2.0
standard in their products, but the above-mentioned agreement are a
good first step towards more convergence among standards for
transverse user management.
The National IT and Telecom Agency also sees the filing of the
WS-Federation (WS-FED) specification for standardization in OASIS as a
step that can promote convergence among federation standards.
It should be stressed that it does not mean that the WS-Federation
specification is recommended equally to SAML 2.0 for common public solutions.
When the results of the standardization with WS-Federation become
available (expectedly in the end of 2008) it might be relevant to do a
new assessment but for now the SAML 2.0 it is still the only standard,
which is recommended as a federation standard for Danish common public solutions.