Out of the desert, into OASIS

July 2003 ushered in a strong Microsoft offensive on the identity management and Web services standards front. In partnership with IBM and other vendors, Microsoft released WS-Federation specifications for federated sign-on, attribute services and pseudonym services - specifications that partially conflict with standards from the Organization for the Advancement of Structured Information Standards and Liberty Alliance. In addition, Microsoft and IBM let it be known that they reject Service Provisioning Markup Language, which OASIS produced and most identity management vendors have adopted. What should we make of these hardball maneuvers?

The good news is that WS-Federation and other Microsoft-inspired Web services specifications (collectively dubbed WS-*) feature what appears to be an open, composable and extensible architecture for Web services. WS-* embraces Security Assertion Markup Language (SAML) messages as tokens, offering an olive branch for convergence. And Microsoft and IBM say they plan reasonable and non-discriminatory licensing for the specifications. From these standpoints, WS-* will help bring Web services and federated identity closer to critical mass.

The bad news is that when it comes to identity management, WS-* is under-specified and only one of its components has been submitted to a standards body. Microsoft and IBM say they need more time to perfect WS-Federation, WS-Trust, WS-Policy and other specifications before submitting them. But I've heard concerns that the vendors are looking for a rubber stamp while delaying submission risks, freezing important OASIS standards work or freezing the market for federated identity.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

July 2003 ushered in a strong Microsoft offensive on the identity management and Web services standards front. In partnership with IBM and other vendors, Microsoft released WS-Federation specifications for federated sign-on, attribute services and pseudonym services - specifications that partially conflict with standards from the Organization for the Advancement of Structured Information Standards and Liberty Alliance. In addition, Microsoft and IBM let it be known that they reject Service Provisioning Markup Language, which OASIS produced and most identity management vendors have adopted. What should we make of these hardball maneuvers?

The good news is that WS-Federation and other Microsoft-inspired Web services specifications (collectively dubbed WS-*) feature what appears to be an open, composable and extensible architecture for Web services. WS-* embraces Security Assertion Markup Language (SAML) messages as tokens, offering an olive branch for convergence. And Microsoft and IBM say they plan reasonable and non-discriminatory licensing for the specifications. From these standpoints, WS-* will help bring Web services and federated identity closer to critical mass.

The bad news is that when it comes to identity management, WS-* is under-specified and only one of its components has been submitted to a standards body. Microsoft and IBM say they need more time to perfect WS-Federation, WS-Trust, WS-Policy and other specifications before submitting them. But I've heard concerns that the vendors are looking for a rubber stamp while delaying submission risks, freezing important OASIS standards work or freezing the market for federated identity.

WS-*'s theoretical "best" should not become the enemy of SPML and Liberty Alliance's "better." While SPML schema and protocols are not loosely coupled enough to become the be-all, end-all Web services provisioning standards, they are a strong step forward for interoperable account provisioning. And Liberty Alliance's opt-in account linking has immediate applicability to multiple business-to-consumer and business-to-employee identity-management scenarios in today's mature installed base of browsers, Web servers and portals. Liberty's identity-federation specifications are a good start. The work now beginning at OASIS to combine SAML with Liberty, and enhance both, should go forward to create a powerful and extensible identity-federation architecture for customers.

Even today, federated identity solutions based on SAML are proliferating, reducing sign-ons and help desk calls, and bringing ROI to early adopters. You should feel comfortable moving forward with SAML for browser-based, federated sign-on, and with OASIS-compliant WS-security header technologies that let Web services transmit SAML or other tokens such as Kerberos tickets. Also evaluate Liberty's Phase 1 Identity Federation. And join others in the industry in pushing for immediate submission of Microsoft and IBM's WS-* identity-management-related specifications to OASIS so that the SAML 2.0 group and Liberty Alliance can move forward with their important work.

Read more about wireless & mobile in Network World's Wireless & Mobile section.