Group examining SAML, Information Card for European identity system

Technology would let EU members safely share IDs

A group co-funded by the European Union has reversed its thinking and is considering both SAML and Information Card as technologies to help create an interoperable identity and authentication system to link EU members.

The Secure Identity Across Borders Linked (STORK) interoperable electronic identity project decided late last month to consider both SAML 2.0 and Information Card technology to help EU member countries integrate their identity systems, according to Drummond Reed, executive director of the Information Card Foundation, which includes Deutsche Telekom, Equifax, Google, Intel, Microsoft, Novell and Oracle among its steering committee members.

Both technologies can help entities, including countries, federate identities.

At the Stork's Industry Group meeting late last month, the group outlined its plans to explore a SAML 2.0 profile called "holder of key" as a means for preventing man-in-the-middle attacks when countries exchange identity information.

Industry members at the meeting, including Reed and Microsoft's Kim Cameron, who helped develop the Information Card specification, were among those arguing that Information Card technology was designed to prevent such attacks and should be considered alongside SAML 2.0.

Reed said the discussion lasted nearly an hour and concluded with STORK project leaders agreeing that they should consider Information Card technology.

Reed said the STORK leaders welcomed the feedback and were thinking of recommending SAML but there had been no finalized proposal.

"This is very much a question up in the air rather than a done deal," he said. A final determination to use one or the other of the technologies, or perhaps both, could come in the next nine to 12 months, Reed said.

The discussion comes at a key time when Information Card, originally developed by Microsoft, is seeing solid industry support and integration across vendor and platform implementation.

In addition, last week the Organization for the Advancement of Structured Information Standards (OASIS) approved as a standard the Identity Metasystem Interoperability (IMII) 1.0 specification. It was the first OASIS standardization of a protocol underlying the Information Card technology.

The foundation of IMI is built around the Identity Selector Interoperability Profile from Microsoft, the Web Services Addressing Endpoint References and Identity specification from IBM and Microsoft, and the Open Source Identity Systems (OSIS) Feature Tests from Identity Commons.

Reed said the importance of IMI 1.0, which protects against man-in-the-middle attacks, is its inclusion directly within the Information Card architecture. With SAML 2.0, the "holder of key" profile must be added to each SAML implementation.

"It's not that SAML can't handle the attacks, it is ease of use," Reed said.

"For 75% of the audience [at the STORK meeting] the reaction was why use that SAML profile when Information Card and IMI can guard against this every place it is used."

Those places would include identity exchanges within member countries, as well as, exchanges between them.

The debate within the EU sponsored STORK group is juxtaposed to the long-running EU-Microsoft antitrust battle.

Reed said he did not detect that the EU-Microsoft relationship had anything to do with STORK's SAML proposal or that it was an effort to exclude Microsoft developed technology. In fact, STORK representatives are part of the IMI technical committee, he said.

Follow John Fontana on Twitter: twitter.com/johnfontana.

Learn more about this topic

Information Card technology headed toward standardization

The two-pronged attack to push Information Cards

Microsoft to test interoperability of identity protocol
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies