Novell Inc. and Oracle Corp., both leaders in the identity-management space, on Wednesday rolled out technology blueprints for products that are compliant with Liberty Alliance standards for identity management.
Oracle announced at the Catalyst Conference North America, in San Diego, that it will update its Oracle Identity Management (OIM) infrastructure to include expanded federated identity and SOA (service-oriented architecture) security capabilities.
Uppili Srinivasn, senior director of identity management and security products at Oracle, said the OIM update will remove the cumbersome work of employers having to synchronize and manage multiple personal employee information and passwords lists, while also relieving employees of the need to remember multiple passwords.
“Without federation, theres a level of management of user information,” Srinivasn said. “That can be avoided if you implement federation. From that point of view, its consolidated, its in one place, and thats an additional level of security.
“Theres no fragmentation or duplication of information,” such as when employees have to provide personal information both for their employer and for a service provider such as, for example, a bank like Fidelity that services employees 401(k) plans.
Federation also removes potential liability of mishandling employee data on the part of service providers such as Fidelity. “Theres all these risks involved if you have to manage all these people,” Srinivasn said.
To achieve this federated identity management, OIM will incorporate the Liberty Alliances ID-FF (Identity Federation Framework) and ID-WSF (Identity Web Services Framework) standards. The OIM iteration also will support SAML (Security Assertion Markup Language) standards.
The new OIM capabilities are a result of Oracles integration of technology it gained in its acquisition of Phaos Technology Corp. in May. Srinivasn said future technology that may result from Oracles integration of Phaos could include the ability to provision users across systems, which is an area that the Liberty Alliance is working on.
The new capabilities have been integrated into OIM for the purpose of Liberty compliance testing. Oracle is now making the new iteration available for evaluation and pilots and will ship the new capabilities with the next version of OIM. Srinivasn said an ETA for that is currently undetermined.
For its part, Novell announced a federated identity-management infrastructure code-named “Odyssey.” Odyssey is designed to enable organizations to federate identity information among its business partners while still maintaining user privacy. It will enable single sign-on based on the Liberty Alliance 1.2 specification, centralized authentication and policy management.
Ashish Larivee, director of product marketing for Novells Nsure (Novell Security Identity Management) and exteNd (Novells application development of Web services technology), said Odyssey is technology that enables centralized authentication, policy management and single sign-on at the service level so that enterprises dont have to build it into each and every application concerned.
What do businesses get from this? “You can enable single sign-on through federation of identity, which means you can share identity attributes without violating user privacy,” Larivee said.
“With federation enabling single sign-on, youre able to utilize users identity attributes to provide them accessibility to more applications—not just from the pure authentication point of view but also by sharing user attributes … so you can apply policies and business rules to it, and do all of that without compromising users privacy.”
Odyssey is also based on SAML and is expected to ship in the first half of 2005. It will enter beta testing within a few months, Larivee said.
Mike Neuenschwander, an analyst with Burton Group, said the interesting thing about Novells announcement is that it was the first company to talk about going beyond what the Liberty Alliance is now addressing by attempting functions such as provisioning.
“Its using a protocol thats a standard, fairly well-accepted, to do something thats necessary,” he said. “On one hand, the Liberty Alliance suggests theres an ability to capture information youre sending over a [Liberty Alliance] protocol. If you send information about identity and say So-and-so is authenticated, theres the ability to capture that information and store it in a secure way.
“Novells saying, Why not create a new account at the same time if theres a new user? Not only avoid sign-on, but avoid the expense of creating and managing accounts. Thats something the SPML [Service Provision Markup Language] group has been working on … for a while.”
Its not clear, though, how successful Novell will be at getting provisioning up and running. “What Novell is doing will [provide the opportunity] to do similar scenarios with what SPML is doing, but with Liberty,” Neuenschwander said. “They need to clarify how that can be done and what their take is on SPML.”