IBM Pushes Federated Identity Management

With Version 6.2 of its Federated Identity Manager, IBM brings multiple identities into a centralized system.

IBM is pushing interoperability as a solution to enterprise identity management and authentication woes.

In Version 6.2 of IBM Tivoli Federated Identity Manager, the company has integrated a number of user-focused identity management technologies and frameworks, including OpenID, Microsoft Windows CardSpace and the Eclipse Higgins identity framework.

In addition, the software now supports a wide range of user and application credentials such as RACF (Resource Access Control Facility) PassTicket, Kerberos, SAML (Security Assertion Markup Language), Web Services-Security and platform-specific credentials used by Microsoft .Net, IBM WebSphere, SAP NetWeaver, Oracle and CA.

The idea, IBM officials said, is to bring multiple identities into one central, federated identity management system that supports both legacy and newer user-centered frameworks.

"We now make it much easier for someone to deploy our federated identity access manager with other access management products that are in the marketplace, and that only just makes it easier for a customer to go ahead and deploy that into their environment," said Joe Anthony, program director for security and compliance management with IBM Tivoli.

IBM is one of the leaders in the identity and access management market in terms of revenue. According to IDC analyst Sally Hudson, the company has both the technological expertise and the resources necessary to pull off this concept for customers.

Hudson explained that a federated ID environment requires companies sell the idea internally and then externally to partners and contractors, reassuring all involved that this will not reduce security and raise risk. Afterward, organizations must evaluate their architectures and the different points of interaction and integration. Standards such as WS and SAML make this easier, but there is always some system that doesn't fit quite into the box, she said.

"Federated identity is not for the faint-hearted," Hudson said. "It is getting easier, [as can be seen by] recent announcements by IBM, Ping, etc., but it requires a lot of up-front planning and detailed integration work."

IBM is also targeting SOA (service-oriented architecture) with this release by including a built-in SOA Identity Service to enable users to validate, manage and audit identities across a variety of formats and vendors' applications to help maintain identity context.

"When you think about a SOA environment, where [there are] ... multiple administrative IDs, one problem we were seeing, particularly in portal environments, is that customers would set up an administrative ID on a portal and use [that ID] to go get information off of the back end," Anthony said. "You run into an audit problem when you do that because you don't have the context of which users were requesting the information.

"With our federated Identity manager ... you can also make sure that identity context flows through that entire SOA architecture and you capture all the needed, relevant identity context with the transaction, and you don't lose that context."

The new IBM Tivoli Federated Identity Manager will be generally available worldwide in June.