What is AuthXML?

AuthXML is a specification for authentication and authorization information in XML. AuthXML is a transport-independent XML definition that allows security authorities in separate organizations to communicate about authentication, authorization, user profiles and authenticated user sessions in an open way.

The following pages are intended to provide orientation and information about AuthXML for those who are new to the need for AuthXML and the AuthXML project. We have covered a broad range of issues and hope that this overview will help you to understand the security issues and development problems related to a lack of a specification.

The AuthXML FAQ offers additional answers to what we expect will be asked of AuthXML as development and interested parties begin supporting AuthXML. Slide shows about AuthXML and the business needs for the standard are available.

General Overview

The expanded use of secured networked applications, within enterprises and between them, has led to increased complexity for users and administrators. Users are often required to make multiple logons to different applications in different security domains.

Some solutions for reducing the security complexity for users have been proposed and implemented. Generally they are monolithic, requiring a single, authoritative user database which all other databases and applications must obey. Some solutions use a distributed model, with trust between domains, but these are usually proprietary or ad hoc.

The purpose of the AuthXML standard is to provide an open framework for resource realms, such as applications and Web sites, to trust security domains. It requires two key technologies to ensure secure, open implementations:

  • XML, the EXtensible Markup Language, an open standard for language definitions. The wide usage of XML and variety of XML processors allows for a variety of implementations of the AuthXML standard.
  • Digital Signatures (XML Signature), a standard for securely verifying the origins of messages. The XML Signature specification allows for XML documents to be signed in a standard way, with a variety of different digital signature algorithms. Digital signatures can be used for validation of messages and for non-repudiation.

AuthXML is a flexible framework, requiring a minimum of functionality from implementations to meet the standard, while allowing maximum extensibility.

Goals

  • AuthXML should define a message format for passing authentication information between security domains and between domains and resource realms.
  • AuthXML is written in XML.
  • AuthXML should not be dependent on any particular security or user database format.
  • AuthXML should be easily extensible.

Goals Specifically Not Addressed

  • No provision is made for negotiation between authorities about trust between domains and realms or the inclusion of optional data. Trust negotiations must be made out-of-band from the AuthXML conversation.
  • No specification is made for the transport mechanism for AuthXML messages.
  • No specification is made for protecting AuthXML messages from interception by third parties. This is left up to the transport mechanism of choice between authorities.
  • No specification is made for providing permission definitions (policies) or authorization information (policy) through AuthXML. It is assumed that realm authorities have authorization policies and tools to specify permissions