The Liberty Alliance has locked up an open standard for federated identity management with new specifications that let companies share login and other information as they deploy and use Web services.
Touting accompanying policy recommendations in a “best practices” guide, the alliance — a consortium founded by Sun Microsystems and consisting of more than 160 companies and other organizations — said the “Phase 2” specifications give Web services the privacy and security necessary for real use.
Microsoft has promoted one response to the identity-management dilemma, namely the centralized identification model called .NET Passport. However, critics have faulted that model as being fraught with security risks, largely because all user data is stored in a single place. In light of these risks, alternative strategies — such as federated identity management — are beginning to emerge.
“This is a huge step in making Web services ready for true deployment,” Sun group business manager Sai Allavarpu told TechNewsWorld. “It is for real.”
Web Services Open
The Liberty Alliance said the new specifications complete the foundation for the Liberty Web Services Framework, which provides an open standards-based way to deliver identity-based Web services, cut internal IT costs and make Web services more secure and private.
Based on existing open standards — signified by such acronyms as SAML, SOAP, XML and WS — the new identity standard will allow organizations to perform cross-domain and cross-company authentication, Allavarpu said.
“One of the biggest barriers has been that there is no standard way to authenticate and identify the various players in the delivery chain,” Allavarpu said. “All of this is done [with the new specifications] in a privacy-friendly manner because it is baked right into the specs.”
Key .NET Differences
In addition to being widely available as an open specification for identity management — in other words, the spec can be used by any company that chooses to adopt it — the new technologies are key to Sun’s J2EE Web services strategy, which is challenging Microsoft’s .NET Web services initiative.
Some of Microsoft’s Web services features and interoperability were included in the company’s latest Office 2003 release, but J2EE widens the use of browser-integrated identity management beyond Windows to other platforms, according to Allavarpu.
He said J2EE Web services is also different from .NET because the Sun and Liberty Alliance effort allows delivery of Web services regardless of device — meaning wireless phones and other handhelds could be included in Web services.
Java Identity Server
In concert with the release of the new specifications, Sun announced that its Java System Identity Server — part of the Java Enterprise System — is the first product to support them.
The company said the Phase 2 specs extend the server’s functionality and enable wider deployment and adoption of secure and federated identity-based Web services to both fixed and mobile devices.
Meta Group vice president Earl Perkins said the “secure, nonproprietary and economical platform” is likely a winning strategy for Sun. According to Sun, the server uses role-based access control mechanisms to centrally manage users, administration and access policies internally or on the Web.
Allavarpu said that because most customer architectures are heterogeneous, it is important to have a single, open and integrated way to share and authenticate identity over the Internet.
“We would not like to see multiple standards,” he told TechNewsWorld, referring to the WS-Security standard effort from Microsoft, IBM, BEA, VeriSign and others.
Allavarpu questioned the use of the other Web services standard, which is still in the proposal state, when the Liberty Alliance “federated identity standard” has been released and has proven to be interoperable.
“Most customers want these capabilities today,” Allavarpu said. “For customers that have been waiting, now they can deliver. It’s ready for prime time.”