Averting Web Identity Crisis

Single-sign-on schemes become crucial to enterprises as Web services pick up speed.

In Craig Gorens book, the customer is king, even if that means his staff will be required to integrate with multiple Web-based frameworks. Thats one reason the president and chief technology officer of Centerpost Inc., in Chicago, said his company will support any identity management system customers want to use, even if that means his staff must manage multiple Web-based frameworks. Got an ID and a password from Microsoft Corp.s Passport? No biggie. How about one from America Online Inc.? Not a problem at Centerpost, which provides a Web-based service that allows clients such as UAL Corp. to communicate with customers via voice and data on wired and wireless hardware.

"The Holy Grail has long been the concept of single sign-on," Goren said. "But its easy for technologists to forget that the whole point of single sign-on is to make it easy on the end user."

Making life easier for customers may be the principal reason IT leaders such as Goren are increasingly jumping on board with single-sign-on and digital identity management products such as Passport. But its not the only reason. As enterprises begin to launch online applications as Web services, theyre realizing its critical to have an integrated repository of information that can tell them whom theyre doing business with. Not only can that information improve security by keeping bad guys out, but it can also help enterprises customize online services based on a users online history and stated preferences.

But theres a catch. Because high-profile, consumer-oriented single-sign-on frameworks such as Passport and AOLs ScreenName service dont yet interoperate, and because others such as the Sun Microsystems Inc.-led Liberty Alliance are just beginning to roll out, enterprises interested in taking advantage of single sign-on for the Web today must make a decision: either bide their time and wait for authentication services to become interoperable with accepted standards and a loosely coupled federation of trust (something IT managers predict could take 18 months or more); cobble together a federated single-sign-on capability using open standards such as SAML (Security Assertion Markup Language) on their own; or, like Centerpost, support any and all approaches.

Even if you decide you can wait, experts advise that now is the time to start developing an identity management architecture and strategy so youll be ready to act once single-sign-on frameworks such as Liberty mature. That means deploying user authentication software internally, consolidating directory services, and creating delegated administration and self-service processes.

"Get your house in order first, no matter what strategy you decide on," said Dan Blum, an analyst at The Burton Group Corp., in Midvale, Utah. "You need to crawl before you can walk. Once you can manage your own identities, youll be much more effective at projecting that information to the rest of the e-business world."

In fact, its inside the enterprise where the real payoff from identity management and single sign-on will first be seen. In a recent survey conducted by Meta Group Inc., of Stamford, Conn., IT managers said consolidating stores of internal employee and external customer ID information would enhance productivity by 24 percent and efficiency by 25 percent. Single sign-on would also decrease help desk calls by 33 percent, managers said.

A number of vendors offer software products that enable enterprises to get a start on deploying their own single-sign-on capabilities in support of Web-based applications. These products, which enterprises can use to manage the digital identities of employees, customers or suppliers, include Netegrity Inc.s SiteMinder, RSA Security Inc.s ClearTrust, Oblix Inc.s NetPoint, Entrust Technologies Inc.s GetAccess, OpenNetwork Technologies Inc.s DirectorySmart and Symantec Corp.s Webthority.

Even most enterprises that deploy their own nonfederated identity management systems will eventually want to tie in to one or more of the increasingly popular federated services from Microsoft, the Liberty Alliance and AOL. Microsofts Passport (the authentication piece of the companys .Net My Services framework), with some 200 million accounts, is a single-sign-on service built on Kerberos 5.0 that provides identity management and authentication for Internet users. Liberty Alliance—which has more than 40 enterprise members, including Sony Corp., American Express Co. and Citigroup Inc.—is expected to release a specification for an open, distributed, single-sign-on solution built on federation, meaning multiple Liberty systems could interoperate. In addition, AOL has its ScreenName service, focused on unifying identity and access across AOL Web sites.

While each of these systems is expected to share some underlying Web technologies, they wont interoperate for a while. Experts say which ID management framework or frameworks IT managers choose to support first will depend in large part on the technologies underlying their enterprise architectures.

Although there has been some movement toward interoperability among identity management frameworks, the big frameworks will probably remain separate for some time, experts say.

In December, AOL became a member of Liberty Alliance and announced that its 31 million subscribers would have user IDs and passwords compatible with any specification released by the organization. In response, Microsoft, which has yet to join Liberty Alliance, announced it will release next year the first stage of its next-generation Passport services, called TrustBridge. TrustBridge will allow customers with Windows .Net servers or other Kerberos-based systems to have federated single sign-on using Kerberos tunneled over Simple Object Access Protocol Web services.

"Were sort of moving toward this polycentric identity environment, where initially the services will not interoperate, but ultimately theyll be pressured to do so by large-enterprise customers who will not want to support too many mechanisms," The Burton Groups Blum said. "There needs to be a common denominator single-sign-on solution across federated business-to-business environments. Theres a possibility they could all interoperate, but theres a whole lot of work to finish."