I'm not aware of any good, comprehensive sources on these two subjects, but I can refer you to an earlier response, How does WS-Security relate to other WS- standards?, where there is an explanation of how WS-Policy relates to other standards, and how WS-Policy extensions relate to the core WS-Policy spec. In terms of the spec itself, I found it to be simple enough to understand from the official W3C site: Web services policy working group.
SAML, short for Security Assertion Markup Language, is a much more complex specification. One book I've read in the past included a small section on SAML that introduced it nicely, Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption. However, it only covers SAML at a high level, with some basic examples.
In terms of finding more basic examples, I noticed that a Web search returns some good results. These results may be a good start before diving into the official SAML standard specification documents that are available on the OASIS site.More information:
Enterprise Java security expert Ramesh Nagappan responds:
I am bit surprised to note the comment referring to "SAML a much more COMPLEX specification" - which is absolutely false.
In fact, SAML is the most simplified and well accepted solution evolved from OASIS initiatives. SAML is also an OASIS ratified industry standard for representing XML-based authentication and authorization decisions, which play a bigger role in single sign-on and identity federation. SAML also accepted as a protocol for representing attributes of identity federation standards defined by the Liberty Alliance (ID-* specifications) and Shibboleth (Internet 2) standards initiatives. It is also important to note SAML is the 2002 winner of PC Magazine's Technology Excellence award
Today, SAML is well accepted in the industry with almost all identity management solution providers including Sun, IBM, Oracle, HP, RSA, SAP BEA (even Microsoft via WS-Trust) and a list of 100+ vendors support SAML assertions.
More importantly, SAML Interoperability tests are conducted and monitored by the U.S. General Services Administration.
While comparing SAML with WS-Policy, WS-Policy 1.2 specification is still in its infancy and it aims at a very limited scope -- representing XML Web services policy expressions specific to WSDL service descriptions and UDDI service registrations. Due to lesser industry adoption of UDDI registries, it is very difficult to predict the scope of WS-Policy in Web Services -- especially at this time. It is assumed that WS-Policy would be a great player in the evolving SOA governance arena and its relationship with WS-Management specification. Having said that, the scope for use in XML Web services or its security is still very limited. There is no guarantee of interoperability conformance and also there are not many vendors who offer support for WS-Policy at this time.
From a developer standpoint, if you'd like to learn about SAML in Java a great place to start is practicing OpenSAML APIs (OpenSAML.org) and JAX-WS 2.0 APIs for Web Services Security. Here are the XML and Web Services Security Release Notes. To understand the role of WS-Policy in XML Web Services and its implementation, it is worth taking a look at this upcoming Web service Interoperability technology effort called Project Tango from Sun Microsystems.
Rami Jaamour responds:
I think my use of "complexity" may have implied a negative perception about SAML, which was not my intention. I agree with you about the significance of SAML. I'm seeing it being deployed and used more and more for identity federation purposes (in SOAs) and among other things as you have pointed out. Complexity is a subjective label that should be avoided. When I addressed this question I did not feel that I needed to address SAML's popularity or significance, or even explain what it is, but I now understand that not doing so could have created the wrong impression about SAML.
I believe that your comments are important and should augment my answer, because they provide an additional dimension of significance, application scope and more sources of information for answering the original question.
This was first published in December 2006