If you've worked with business-to-business (B2B) transactions, you know that security is often lacking in XML-based documents. You can implement your own document-level security to solve this problem, but then you must integrate the security information into each document and achieve agreement among all your partners about your new security schema.
Enter Netegrity's Security Services Markup Language (S2ML), a proposed standard that different companies (and, therefore, different applications) can use to share security information in both B2B and business-to-consumer (B2C) transactions. S2ML isn't a new security technology; it's simply a proposed industry standard (authored by Bowstreet, Commerce One, Jamcracker, Netegrity, Sun Microsystems, VeriSign, and webMethods) that you and all your partners can adhere to. And its goal is interoperability. (As you well know, the many different security solutions on the market don't interact with one another.) S2ML is a common language that could let businesses of all sizes securely share information about users, authorization, and Web services. The beauty of S2ML is that the same mechanisms you use to consume your XML documents can quickly digest the security information.
In B2C environments, S2ML would facilitate single sign-on (SSO) access and eliminate the annoying multiple logons users face when they visit secure Web sites. SSO functionality takes users' initial credentials and reuses them as needed to continually identify the users. As proposed, S2ML is designed to allow SSO access with all of your partner sites. Because it describes the authentication information using standard XML, the information can move with the user from site to site.
S2ML boils down to two XML schemas (name assertion and entitlement) and an XML-based request/response protocol for two services (authentication and authorization). When a successful authentication occurs, the system creates a name assertion that describes the authentication type, the authenticator, and the authenticated object (e.g., a user). An entitlement further describes the authenticated object.
I've only skimmed the S2ML surface. Oasis, a standards and interoperability consortium, has formed the Security Technical Committee, which is meeting January 9 to attempt to blend the proposed S2ML standard with a competing XML security standard—Securant Technologies' AuthXML. If we're lucky, out of this meeting will come a single XML security standard that gives companies greater security authentication and authorization options when they share data among customers and partners. To learn more about S2ML, visit the S2ML Web site.
