Liberty Alliance: Federated Identity Ready to Go

The president of the Liberty Alliance says federated identity management is ready to roll.

As president of the Liberty Alliance Project, Michael Barrett is charged with shepherding the organization as it works to deliver open specifications and frameworks for federated network identity. Barrett, who is also vice president of information security and privacy strategy for American Express Co., said 2004 will be the year federated identity management proves its more than hype.

eWEEK Labs Senior Writer Anne Chen recently spoke with Barrett about the challenges facing federated identity deployments, Liberty Alliances priorities three years after its inception and American Express efforts to secure its own Web services deployments.

Liberty Alliance has been working on federated identity since 2001. What are you focused on today?

The theme in 2004 is ... ensuring that any barriers to adoption around federated identity management are removed. Theres always a gap between the leading- edge companies that play with a lot of the technologies and the early adopters, and our goal this year is to close that gap.

Were spending most of our energy doing things that are needed to help companies deploy federated identity while continuing to build on the foundations. Where in the past we built infrastructure specifications, were now building actual services specifications that write upon previous specs. Our focus is in ensuring that we knock down as many perceived barriers as possible.

What are some common misconceptions surrounding federated identity?

One example is that people think there are no products out there. The Liberty Alliance has dozens of products on the market.

I saw something recently that said the Liberty Alliance specs are not stable. Weve had these specs on the market for nearly 18 months now. You have to keep educating. Were seeing implementations, and our expectation is that within a few months, there will be a fairly large number of implementations, which is one thing that really encourages the early-adopter crowd.

You have said that youre working on convergence between Libertys IDFF (Identity Federation Framework) and SAML (Security Assertion Markup Language). Can you describe some of the work being done?

The Liberty Alliance owed a great debt to SAML in that it was the technology that we most heavily relied on. I wouldnt want to minimize the implication that SAML had on our first family of specs. We are very conscious that we didnt want to see any kind of schism in the marketplace. So rather than seeing two diverging specifications, we submitted IDFF as the basis for SAML 2.0.

Why did American Express join the Liberty Alliance?

If you set the clock back to late 2000 [or] early 2001, XML was around and SOAP [Simple Object Access Protocol] was around, but neither of them was finalized. Web services were understood conceptually, and there were enough tools around where we said "this stuff looks promising." American Express has a number of services we offer to customers. We have a proprietary application system we built ourselves that manages our Travelers Cheque inventory. When a Travelers Cheque is cashed, its recorded so that system manages the life cycle of Travelers Cheques.

We went to a couple of partners and said, "Were interested in Web services. Would you like to work with us to build an implementation of this check system?" The problem at that time surrounded security integration problems.

We felt the business promise of Web services was justified, but security was a problem. Problem two was, whenever youre transacting commercially, most transactions are authenticated. There was a hole in the standards set that didnt address identity.

We joined Liberty Alliance because we needed a solution to identity-enable Web services transactions.

How is American Express using Liberty Alliance frameworks and specifications today?

Broadly speaking, our deployment can be characterized as multiphase. Were trying to do foundational work … to minimize the business issues but give us value so that we have a learning exercise for cutting our teeth on the technology. Its the whole walk-and-then-run concept.

For corporate cards, corporate travel, etc., a number of companies … say theyd like [our] services to integrate with an employee single-sign-on portal. Essentially, they want employees to come to us and have us trust their identity. And they want us to do this without a proprietary solution.

We know some of our competitors are starting do to this. We know that if we attempted to stay proprietary, wed start losing deals and become noncompetitive. Even if we thought using open standards like Liberty was a bad thing, wed be forced into doing it.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: