The Liberty Alliance Grows Again

sempf writes "The Liberty Alliance, a Sun-backed open-specification alternative to the Microsoft platform's Passport system, has added two very powerful members, Oracle and Intel. Now over 150 members, one wonders at the future of a world where we have two single sign-on systems. With the three big IM platforms joining forces, is the identity standard of the world going to be Microsoft, or Sun? Is this going to be the next Browser War?"

Single Sign-On

[storem]

Be sure that this will be the next big war. But it will most certainly not be fought in the open field. My guess is that this will mostly influence companies as they move more and more to single sign-on solutions.

Article from Internet News [internetnews.com]

June 30, 2004
Single Sign-On Gains Liberty Support
By Clint Boulton

Although a lack of interoperability has threatened to hold Web services adoption back, Liberty Alliance, a group dedicated to forging an open identity standard, cracked that barrier by certifying nine single sign-in products this week.

The group awarded Ericsson, Hewlett-Packard, IBM, Netegrity, Novell, Oracle, Ping Identity, Sun, and Trustgenix its "Liberty Alliance Interoperable" mark in a conformance test.

The certification, which covers Liberty Alliance Identity Federation Framework (ID-FF) version 1.1 and 1.2 for single sign-on services, involves a rigorous testing process that gauges identity federation, authentication, session management and privacy protection. Vendors must demonstrate interoperability with two other randomly selected participants.

Secure single sign-on services are a key ingredient for Web services, a high-flying concept for distributed computing that allows applications to talk to one another to perform tasks. But customers are afraid to "sign-on" without a secure brand, because crackers can swipe their personal information if the site is not safeguarded properly.

According to a Liberty statement, the products are interoperable out-of-the-box, which pares deployment schedules and saves costs. This is key, as customers are loathe to license technology if it isn't supported by a validated standard, according to Gartner analyst Ray Wagner.

Customers who are thinking about federation projects need some reassurance that there won't be a huge amount of manual integration necessary between partners with different infrastructures," Wagner told internetnews.com. "Requiring compliance with Liberty, SAML, WS-Federation, and WS-I Basic Security Profile, or a subset of the above, will provide some assurance that systems have the capability to work together."

Wagner said he believes most vendors who make identity management products will provide compatibility with specs or standards in the short term, noting that Federation protocols in particular (SAML, Liberty, WS-Federation) will likely converge in the medium term.

With Liberty's certification, companies can say that their products are compliant with the Liberty identity standard, making their identity management software more appealing to customers looking to shore up their Web services platforms with authentication via single sign-on services.

Forrester analyst Randy Heffner said using Identity Web Services Framework (ID-WSF) requires Liberty's ID-FF and offers an interoperable path to Web services as long as users start with Liberty's ID-FF.

"There is a test suite to ensure broad testing coverage of the technical interfaces," Heffner told internetnews.com. "But successful operation of the tests is sort of on the honor system -- except that a vendor who wants the Liberty logo must participate in an interoperability event and successfully connect with a couple of other randomly chosen products."

"This is better than a simple, pre-planned interoperability event, which only proves that there is 'at least one' configuration by which products can work together -- but not that this is the configuration that any given user might need," Heffner concluded.

Web services have been slow to take off over the last few years, due to obstacles such as interoperability, security and manageability. But this is changing, owing in part to the steady work companies have been putting into the matter and the increasing acceptance of the more broad service-oriented architecture approach to software services.

The following products are now Liberty compliant: the Ericsson User S

Re:No.

[ClubStew]

A Microsoft Passport doesn't have to be from hotmail.com or msn.com or even passport.com. Hotmail and MSN email addresses are automatically Microsoft Passports, but you can register any email with www.passport.com [passport.com].

Liberty Alliance is not the same as Passport

[Anonymous Coward]

The Liberty Alliance is not a single signon like Passport. It doesn't put all your data in the hands on one organisation. It basically allows you to link logins and share data between them.

It's a tricky concept to grasp but I've found these two introductions helpful:

• http://www.projectliberty.org/resources/tutorial_d raft.pdf [projectliberty.org]
• http://www.projectliberty.org/resources/whitepaper s/LAP%20Identity%20Architecture%20Whitepaper%20Fin al.pdf [projectliberty.org]

Re:who cares?

[cmj]

One of the points of the Liberty Alliance is that you, the end user choose whether to Federate your accounts or not, and you get to choose to break that Federation. Take a spin through the backgrounder paper [projectliberty.org] on Liberty - there's a lot of tech, but there's also quite a bit of thinking about privacy and security there.

A passport alternative.

[Anonymous Coward]

Here is a research project (here [cornell.edu]) that is building a replacement for Passport. The main idea, as I understand it, is to use multiple authenticators in different administration domains (unlike Passport controlled by a single entity, namely MS) to authenticate a user, and then use threshold crypto to combine the result into a single authentication token.

Re:They're all terrified of MS' power

[Ari_Haviv]

Intel isn't just paranoid. Rumors have it that the Xbox2 will usee powerpc cpu's instead of intel or even AMD

Re:Microsoft or Sun? No...

[raul]

The Liberty Specification does not dicatate any Language implementation. It is just a extension of SAML [oasis-open.org] that is just a XML schema above SOAP with some XML-SEC message security. Nothing more fancy. I think that PingID has a .NET implementation.

Any one can download the specs and do a client/server implementation just using apache projects. (Xerces, XML-SEC) and some DOM/servlets knowled to implement their
protocol.

Any how you can do it in c++/java/.NET or whatever languege you like.

RTFA

[mindfucker]

This is in not simply a single sign-on system like MS Passport, where only they manager/control your identity. This is just an API for identity and authentication, and the "identity provider" can be anybody such as the company you work for, the government, or a third party identification service like Thawte.

Re:Why stop at just two

[Samari711]

actually despite what the person who posted this article implies, LA is not a monolithic sign on like Passport. LA basically provides a protocol for a person's identity to be authenticated via a third party and the token from that third party server passed to different sites that trust the third party. The standard does not however stipulate that there can be only one company capable of identity verification, but rather lets sites choose who they trust the information from.

Re:Single Sign In

[glesga_kiss]

The only thing I would like to see a specification for is labelling fields in HTML forms so that they can be auto-completed with information from my vCard.

Been done already, and most big commercial websites support it. It's a tag that goes on text entry fields denoting what they are, say "name", "e-mail", "phone" and so on.

Programs like Roboform, Google Toolbar and Gator (spit) use these to autofill your forms for you.

However, this misses the point; these identification are supposed to securely identify you. This identification may come with a list of addresses, so that when you sign up for a commercial service online, you can identify yourself in a way that they know you are a genuine person not scamming them with a dodgy credit-card number and drop address. Takes the validation responsibility away from the trader, which should reduce their costs and complexity of the initial setup.

Re:Why stop at just two

[Samari711]

part of the standard allows you to pick and choose what information you share with whom. granted you'll still be giving all your information to one identification provider but you get to say what of that information is available to any company you want to link the login to. I'm not sure how to go about giving phony information other than having a bogus account though.

Re:How universal can it be?

[atomico]

How universal can any kind of "identity system" be before it gets scary and/or illegal? (Illegal in countries with data protection laws anyway.)

In theory at least, it is the end user who chooses to 'federate' her different accounts so she has to log just into one of them.

Now that you mention Nokia, this issue is really hot in the mobile world, where the mobile network operator would play the role of Identity Provider, allowing Single-Sign-On to a number of mobile websites or even subscription data services. Authentication could be performed at a lower level in the network, when the mobile terminal is switched on, and the User ID can be linked to the mobile number.

Identity Commons

[spot]

The Identity Commons [identitycommons.net] is also working on the same problem, but they have taken a more useful approach than the Liberty Alliance.

This would be a great start

[leonbrooks]

Uh, which W3C standard(s) should I follow?

In the spirit of FOSS - to wit, building a working one to back up your specifications - try this [w3.org]. If 50% of websites got a clean bill of health there, the world would be a better place.

Sometimes I'm just baffled at what they want me to do.

The error messages there recently got much better. See if you can spot which explicatory message I contributed to the list. The takeaway message is, don't just whine - fix it.

They may be a bunch of meeting-bound administrators, but W3C do produce working code to their own specifications.