Microsoft, IBM identity plan criticized

Sun, Oracle, Nokia and France Telecom among those objecting

A protocol developed by IBM and Microsoft for standardizing the sharing of user identities between companies was turned over to a standards body on Wednesday amid controversy that it overlaps with similar protocols already recognized as standards.

The Organization for the Advancement of Structured Information Standards (OASIS) says it has created a committee to guide Web Services Federation Language (WS-Federation) version 1.1 through the standards process.

Procotol work stirs controversyThe Organization for the Advancement of Structured Information Standards (OASIS) has agreed to put Web Services Federation Language (WS-Federation) on a standards track, but critics say it overlaps work already done in the Security Assertion Markup Language (SAML) 2.0.
April 2002Microsoft, IBM, VeriSign proposed WS-Federation as one part of larger Web Service Security architecture.
July 2003WS-Federation 1.0 published.
March 2005SAML 2.0 specification approved by OASIS.
May 2005Burton Group report highlights benefits of converging browser-based federation models in SAML 2.0 and WS-Federation.
December 2006WS-Federation 1.1 published.
March 2007OASIS proposes charter for WS-Federation technical committee.
April 2007Critics air objections to OASIS charter, including Nokia, France Telecom, NTT, Sun and Oracle.
May 2007WS-Federation technical committee launched.

The protocol, one of many in the WS-* stack of security protocols, lets companies share identities and security tokens. IBM and Microsoft developed WS-Federation in 2002 along with a number of other proprietary Web Services protocols using the “WS” naming convention. Many, such as WS-Trust, has been turned over to standards bodies, but others, such as WS-Transfer have not.

The WS-Federation specification has dependencies on both those protocols in order to function properly.

Critics of the move to standardize WS-Federation say the protocol overlaps work already done by OASIS as part of the Security Assertion Markup Language (SAML) 2.0 specification, most notably browser-based federation as part of WS-Federation’s Passive Requestor Profile. SAML 2.0 was standardized by OASIS in 2005.

Those same critics also are concerned with WS-Federation’s dependency on protocols such as WS-Transfer that are not yet standards.

“With the proposed scope, it would appear that the inevitable result can only be unfortunate duplication of existing SAML 2.0 functionality, with the consequent complexity and cost eventually assumed by technology customers,” Paul Madsen of NTT's Information Sharing Platform Laboratory wrote in a comment to OASIS on the formation of the WS-Federation technical committee.

Sun, Oracle, Nokia and France Telecom also raised objections.

“There is some redundancy and overlap at this point that we think is a bit confusing to the marketplace and we would like to see that more clearly defined in the work of this new OASIS technical committee,” says Gerry Gebel, an analyst with the Burton Group. “They have the opportunity to address this issue because OASIS is the home of SAML. We have seen previously where SAML 1.x and Shibboleth and Liberty Alliance ID-FF came together under that umbrella.”

Shibboleth is based on SAML and is a foundation technology for Internet2’s Abilene Network. The Identity Federation Framework (ID-FF) is developed by the Liberty Alliance, a consortium of users and vendors that have incorporated SAML 2.0 into its identity standards.

Microsoft’s Marc Goodner, who will be part of the WS-Federation technical committee, says the committee will not address the overlap issue.

“The goal is to work on WS-Federation,” Goodner says. “We are not trying to unify or bridge these two worlds. We are not trying to address that topic with what we are doing.”

Goodner says it is not uncommon to see two different ways to address the same functionality.

An OASIS spokeswoman said the standards body has examples of overlapping standards such as Universal Description, Discovery and Integration and Electronic Business XML, both registry technologies for Web services.

Goodner said the key difference between SAML and WS-Federation is that the latter is built on top of WS-Trust and is part of the larger architecture for WS-*.

Microsoft, IBM and others support WS-Federation in products available today. Microsoft only supports the SAML 2.0 identity token format but not the SAML request/response engine within Active Directory Federation Services.

IBM is supporting both protocols as are others vendors such as BMC, RSA Security (now part of EMC) and VeriSign.

“If Microsoft, et al, were to merge the WS-Federation passive profile with SAML 1.x and then focus this technical committee on the active profile [of WS-Federation} -- that would clear up a lot of confusion and limit redundancy,” the Burton Group’s Gebel says.

Learn more about this topic

Identity systems all about making claims, Microsoft says

04/23/07

Liberty Alliance, Microsoft discuss identity protocols

01/10/07

Microsoft cuts intellectual-property chains from Web services protocols

09/13/06

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies