The submission of the SAML 2.0 specification this month for consideration as an OASIS standard could bring fundamental changes to the way we federate identity during the next few years.
Security Assertion Markup Language 2.0 unites the defined protocols for single sign-on, delegated administration and policy management of SAML 1.0 with the Liberty Alliance Projects identity federation framework (otherwise known as SAML 1.1). Officials at the alliance and the Organization for the Advancement of Structured Information Standards said they hope SAML 2.0 will become a unified standard for identity federation.
eWEEK Labs believes that open standards for federated identity is good news for IT managers. Open standards will enable enterprises to more easily interact with one another while respecting the privacy and security of shared identity information.
Many companies are already exploring federated identity, which grants one companys employees access to another companys systems without reauthorization. This system works particularly well for companies that collaborate or work with many third parties requiring access to data.
However, as with any technological revolution, it will take a fair amount of work for early-adopting IT managers to iron out all the kinks—particularly business and legal issues. It will also be interesting to see how political issues and rivalries—especially those between the Liberty Alliance and Microsoft Corp., with its rival Passport technology—will be resolved.
So far, the most successful building block for federation is SAML, an XML standard that enables the use of single sign-on to log on to affiliated but separate Web sites.
Originally developed within OASIS, SAML 1.0 specifies three components: assertions, protocol and binding. SAML 1.1 defines protocols for single sign-on, delegated administration and policy management.
In 2003 the Liberty Alliance took SAML and added account linking, improved capabilities for establishing trust between organizations and single-sign-out functionality to build a federation framework called ID-FF (Identity Federation Framework). Much of the alliances work on ID-FF—as well as the Internet2 Consortiums work on Shibboleth, another identity management framework—was used to define SAML 2.0.
The Liberty Alliance continues to work with SAML. Earlier this month, the alliance announced the public draft release of ID-WSF 2.0, a second-generation framework for identity-based Web services. The framework was extended to include definitions for how SAML 2.0 assertions can be used to communicate identity among identity-based Web services.
“Successful identity management has become a critical factor in application development and the necessary foundation for deploying all Web services,” said George Goodman, president of Liberty Alliances management board and director of Intel Corp.s Visualization and Trust Lab, in a prepared statement released by the alliance. “These specifications provide a blueprint for driving convergence between federated identity and Web services specifications, a necessary step to complete interoperability.”
The draft release of ID-WSF 2.0 is part of the Liberty Alliances road map for WSF 2.0 specifications, with this first phase focused on SAML 2.0 support. The alliance is expected to complete the second and third phases—designed to give users the ability to leverage custom Web services, among other things—by the end of this year.
Page Two
The Liberty Alliance so far has received more support for its federated service than rivals have. Founded in 2001, the alliance comprises more than 150 technology providers and corporations, including General Motors, IBM, American Express Co. and Sun Microsystems Inc.
The Liberty Alliance gained ground earlier this year when eBay Inc. announced it would stop supporting Microsofts Passport service. We are seeing an increasing number of companies, such as eBay, choosing federated identity standards over the possibility of handing control of identification information to third-party companies such as Microsoft.
To encourage industry adoption, the Liberty Alliance has certified several products for technical compliance with its standards and for real-world interoperability.
There will be more than 400 million Liberty Alliance-enabled identities and clients by the end of this year, according to Sam Nicholson, former chairman of the Liberty Alliance business and marketing expert group and the manager of strategic industry initiatives at Sun, in Santa Clara, Calif.
To drive adoption rates, the Liberty Alliance in 2003 delivered a set of Web services specifications. At that time, the alliance announced that more than 59 percent of its founding members said they intended to pilot those specifications in their organizations that year.
Technology is the easy part, however. Business issues often raise the biggest hurdles when it comes to deploying federated identity. At GM, for example, IT managers found that business and legal issues consumed most of the time spent on a proof-of-concept federated identity deployment that the automaker launched for its employee portal.
“The technology is pretty simple, but there are issues around the business that get a little more complicated,” said John Jackson, director of software technology at GM, in Detroit. “We worked on part of it to complete the pilot, but well have to come back around to revisit some of the business and legal issues involved.”
Senior Writer Anne Chen can be reached at anne_chen@ziffdavis.com .
Page Three
Liberty-enabled products
Products that make use of Liberty Alliance specifications include:
- America Online Inc.s Radio@AOL
- Axaltos Web Identity Card
- Communicator Inc.s Communicator Hub ID
- Computer Associates International Inc.s eTrust Identity and Access Management Suite
- Courion Corp.s Identity Management Suite
- Entrust Inc.s Secure Identity Management Solution
- Fujitsu Services Fujitsu Services SDA mPollux
- July Systems Inc.s MetaService System
- Mycroft Inc.s Webseal
- NeuStar Inc.s NeuLiberty suite
- Oblixs SHAREid
- PostX Corp.s PostX Trusted Messaging and E-Business solutions
- Valistas PaymentsPlus, TopupPlus, and Service Delivery Platform
Source: Liberty Alliance Project