BEA's dev2dev site has published an article by Harold Lockhart called "Demystifying SAML," the Security Assertion Markup Language. SAML is used to federate identity, another way of saying that "this security token is valid" through the use of trusted parties.

From the article:
SAML standardizes the full range of functions associated with receiving, transmitting, and sharing security information to:

    * Provide XML formats for user security information and formats to request and transmit the information.
    * Define how these messages work with protocols such as SOAP.
    * Specify precise message exchanges for certain common use cases, such as Web SSO.
    * Support a number of privacy protection mechanisms, including the ability to determine users' attributes without revealing their identities.
    * Detail how to handle identity information in formats provided by widely used technologies, including Unix, Microsoft Windows, X.509, and LDAP, DCE, and XCML.
    * Formulate a metadata schema that allows participating systems to communicate the SAML options they support.

Moreover, SAML is specifically designed for flexibility. It is extensible to meet requirements not yet covered by the standard.

SAML has come under fire from some parties as being overkill, yet its adoption as a formal standard continues. What do you think of it?