Microsoft's token participation
Company backs another set of XML protocols
IF YOU LOOK OVER the General Services Administration's list of interoperable Security Assertion Markup Language (SAML) products, you'll notice that one name is conspicuously absent: Microsoft. The federal government is home to an overwhelming number of Microsoft Active Directory installations, which do the authentication within each agency. Could this lack of participation on Microsoft's part spell headaches for any systems administrator ramping up to GSA's E-Authentication program?
The good news is that the federated version of Active Directory, called Active Directory Federation Services, does have the ability to produce and consume SAML tokens. The current version of ADFS can do SAML 1.1 tokens, and the next version will support SAML 2.0 tokens, said Don Schmidt, principal program manager for Microsoft's Federal Identity.
However, ADFS sends and receives these assertions not via the SAML protocol but another Extensible Markup Language-based set of secure transaction standards, called WS-* or WSFederation.
This is a set of Web services protocols and includes WS-Security, WS-Federation and others. This is the group of standards Microsoft is backing.
So in order to speak SAML with an ADFS implementation, the other party's gear must be able to speak in these WS-* formats. Many federated identity products do this, and even in cases where that support isn't available, there are a growing number of products that can do the translation fairly easily, Schmidt said.
Microsoft threw its weight behind WS-* over SAML because it saw a greater flexibility, Schmidt said. A potential downside of SAML is that the protocol and message format are intertwined as a single unit. If a better protocol or format comes along down the road, SAML users may not be able to take advantage of the improvement. Schmidt also said that everything that can be done in SAML ' such as adding attributes ' can be asserted in one of the WS-* specs, such as WS-Trust.
Schmidt said he doesn't fault GSA for banking on SAML, noting that the agency set up its framework to allow for multiple mechanisms. Thus far, the program supports SAML and the public-key infrastructure approach.
But it seems unlikely that ADFS will be on GSA's list of interoperable SAML products anytime soon. Schmidt suggested that GSA should also consider setting up a program for the WS-* approach, adding that he has seen some large Web services-based e-authentication implementations across government.
'There are other schemes and other protocols out there,' Schmidt said. 'And you have a lot of Active Directory out there in the government.' '