Liberty Alliance or Passport?
Fundamentally, the Liberty Alliance specification and .Net My Services have the same goal: manage Web-based identification and authentication. How each gets there will be the critical decision point for enterprises implementing their own identification management packages.
As the Sun Microsystems Inc.-led Liberty Alliance specification and Microsoft Corp.s .Net My Services take shape, its becoming clear that both will be used, but for different purposes.
In any case, its important to remember that dozens of identification management systems are already in use in business, including Windows domains, packaged application log-ins and log-ins to partner Web sites. What businesses dont have is an easy way to federate these log-ins.
Both the forthcoming Liberty Alliance specification and Microsofts Passport, the authentication component of .Net My Services, enable companies to build identification management systems that can be federated across many disparate sources. Identification management platforms built on products that implement the Liberty Alliance specification or that use the Passport service will allow companies to share and use authentication information without passing user- sensitive data.
Products based on Liberty Alliance and Passport theoretically will let individuals have a single Web identity that provides single-sign-on capabilities to those Web sites that have implemented either or both of the systems. Also theoretically, any service implementing the Liberty Alliance specificationincluding Magic Carpet, America Online Inc.s code name for authentication services based on its ScreenNamewill be able to work together.
Indeed, the Liberty Alliance specification is not out yet, but eWEEK Labs expects that Sun will announce a Liberty version of its Sun ONE (Open Net Environment) Identity Server within a month after the specifications release (expected next month). Identity Server, formerly known as iPlanet Directory Server Access Management Edition, includes facilities for single sign-on, policy management, user management and directory services.
Mark Herring, director of corporate strategy and planning at Sun, in Santa Clara, Calif., said standardization will solve one of the biggest problems of identity management: how to share password authentication among sites and applications.
For example, few people can remember their frequent flyer numbers, so an airline such as United Airlines Inc. might want to connect to a users electronic banking authentication scheme. Herring said, however, that "this could be a one-way authentication. For example, the bank might not want to authenticate a person based on a frequent flyer log-in."
United Airlines CIO and Liberty Alliance Chairman Eric Dean said the goal of the alliance is not to replace the thousands of password authentication systems available but to allow businesses to develop strategic relationships with one another based on user authentications and profiles.
Dean, added, however, that the issue of liability will be a big sticking point: "What happens," said Dean, in Chicago, "if the authentication misfires? Who assumes the liability? ... These specific issues have to be worked out. All of that has to be taken into account."
In the Liberty Alliance world, liability issues generally will be handled by the organizations creating the relationships. In the Passport world, the liability issue is determined by the implementing organizations relationship with Microsoft or with strategic partners, depending on how the service is implemented.
Microsofts Passport was initially released as a service and not an open specification and precedes the Liberty Alliance by at least a year. Its the underlying authentication system of Microsoft Hotmail and The Microsoft Network, and it is required for use in Windows XP.
In the first generation of Passport, there was one sign-on, and Microsoft was the sole manager of the authentication data. Although Passport and .Net My Services were always intended to be open for use by Microsofts partners, Sun lobbied the industry strongly against Passport, warning organizations not to put user data into a service controlled by Microsoft.
Sun then took another tack, warning organizations that the Microsoft security model was not strong enough to protect sensitive user information. At the same time, Sun initiated the Liberty Alliance along with 32 other companies. Microsoft is not a member.
In fact, user data was never passed to the Passport service, which was going to be hosted on Microsofts servers. Still, Microsoft changed its strategy and announced that individual organizations could implement their own Passport servers at their locations.
The next-generation Passport will look far more like what Liberty Alliance proponents are promoting. However, since the Liberty Alliance specification is more fluid, there could be a variety of kinds of products based on it. Passport, in contrast, is more tightly controlled.
The specification for Liberty Alliance is still a month away, and the first products implementing the specification will be available no earlier than a month after its release.
Products based on Liberty Alliance will likely find a home in Sun shops, since these companies are already familiar with Unix-based identification mechanisms.
Web sites built on Active Server Pages and .Net, meanwhile, should at least consider Microsofts Passport, since the Passport authentication system is a major part of Microsofts overarching .Net Framework.
The big question is which authentication system, if any, enterprises with an even mix of Unix and Windows servers will use. Most likely, administrators will base their decision on a project- by-project basis.