SAML 2.0 is the second cut at getting a useable approach to an open standard for exchanging authentication and authorisation information between systems and services.  OASIS have effectively stopped any further elaboration of the SAML 2.0 standard to focus on encouraging take up, part of which is the promotion of SAML Profiles.

SAML 2.0 introduces 'profiles' to facilitate interoperability by providing a ‘common’ method for information exchange.  A SAML 2.0 profile may define constraints and extensions of the core SAML protocols and assertions for using SAML for a particular use.  By agreeing to support a particular SAML Profile (rather than the complete specification set), parties who wish to exchange SAML messages should find it easier to achieve interoperability.   For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated using the Authentication Query and Response messages to enable Single Sign-On for a browser user.

Federation is addressed by SAML 2.0 by adoption of the key elements of the Liberty Alliance Federation Framework.  Federation capabilities raise an interesting question, similar to the PKI conundrum – nice solution, now where is the problem?

Lakebridge see federation as a question of how the business wants to do business.  What principles should the business apply to federation?  Why and when should the business federate?  For example, can the business identify where will federation will show real business value (either by reducing costs – transaction, operational and so on) or by increasing revenues or driving adoption of a service – ie.g. making it easier to use and providing a rewarding user experience).

Federation and the nature of how it is applied has to consider the needs and capabilities of stakeholders.  There might be many different flavours of federation and business decisioning logic has to be able to cope with this.

Exchanging information is relatively easy.  Why you do it and what the information actually means, less so.