The Problems With Identities

The strength of a network is based on its weakest link-it's likely to be an identity.

The popularity of the Liberty Alliance and Microsofts Passport has as much to do with IT demand as it does with vendor neediness. Vendors need Web and enterprise identity management to succeed in creating the market and driving demand for a new set of products that sit at the core of the application stack. If vendors fail, they risk losing a strategic battle to develop the standards (de facto and real) for Web services integration—and probably a big chunk of change as well.

Enterprises, meanwhile, need some standards for federating identities; otherwise, single sign-on becomes a pie-in-the-sky concept made possible only by internally developed, client/server-based, proprietary solutions.

Passport is available, the Liberty Alliance specification was completed last month and OASIS has demonstrated SAML interoperability, but were not there yet. Heres whats missing:

Federated ID creation. Oblix CTO and co-founder Nand Mulchandani raises a good point: What happens when a user wants to federate an ID on a system that has no account for that user? There are no standards for how this can be done. That makes federation possible only if two organizations have agreements with each other and if users have accounts on each system.

Federated ID deletion. If a user is deleted from an account that is federated with another, theres no way to manage deletion of the second account. The Liberty Alliance spec has some verbiage on how users can be disconnected, but none about deletion.

Enterprise ID management. Passport has another problem—no enterprise will allow users to authenticate to the corporate network via a Passport account. Two accounts still have to be maintained and synchronized.

The master ID. Any identity management tool needs a master identity, whether its one account used to log in to a single-sign-on service or one based on the Liberty Alliance. Without a master identity, theres going to be a hodgepodge of individual identities that have to be managed at the corporate level. Guess what? Corporate IT isnt going to get into that business.

Weak ID. The weakest link in a network is likely to be an identity, probably one based on a user name and password. The Liberty Alliance can pass authentication strength to the authorization service, but this is only a first step. Oblix, Netegrity and a host of others are working on this problem.

Anything else missing? Write to me at

Related Stories:

  • Commentary: Liberty Is All About Identification Control
  • Liberty Alliance Spec Wont Cure Security Mess
  • Deal Links Visa, MasterCard Accounts to Passport
  • Liberty Alliance or Passport?
  • Averting Web Identity Crisis