Shaping federation standards

Federation standards, which allow single sign-on and account linking across disparate security domains, will change authentication and authorization by creating more scalable models for identity management. Security Assertion Markup Language 1.1 is a safe bet for companies that want to reap federation benefits such as reduced password-related costs and new applications. Longer term, however, additional standards will be needed for full identity federation.

Three organizations are determining the shape of federation standards: the Organization for the Advancement of Structured Information Standards (OASIS), the Liberty Alliance, and a vendor consortium dominated by Microsoft and IBM to create specifications for an enhanced Web service framework (WS-*).

The OASIS Security Services Technical Committee (SSTC) has crafted a document that outlines plans for defining SAML 2.0. Basically, SAML 2.0 will fill in SAML 1.1 gaps such as lack of session management and single logout, and also merge SAML with Liberty Alliance Identity Federation Framework for opt-in account linking across sites.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Federation standards, which allow single sign-on and account linking across disparate security domains, will change authentication and authorization by creating more scalable models for identity management. Security Assertion Markup Language 1.1 is a safe bet for companies that want to reap federation benefits such as reduced password-related costs and new applications. Longer term, however, additional standards will be needed for full identity federation.

Three organizations are determining the shape of federation standards: the Organization for the Advancement of Structured Information Standards (OASIS), the Liberty Alliance, and a vendor consortium dominated by Microsoft and IBM to create specifications for an enhanced Web service framework (WS-*).

The OASIS Security Services Technical Committee (SSTC) has crafted a document that outlines plans for defining SAML 2.0. Basically, SAML 2.0 will fill in SAML 1.1 gaps such as lack of session management and single logout, and also merge SAML with Liberty Alliance Identity Federation Framework for opt-in account linking across sites.

Meanwhile, the Liberty Alliance has just published its Phase 2 specifications for permission-based attribute sharing. Phase 3 will address ways for identity-dependent services such as presence and calendars to leverage Liberty's work. On the other hand, WS-* defines a WS-Federation specification that is basically compatible with SAML but conflicts with the Liberty Alliance.

As I wrote in an earlier column, WS-* security specifications need to fulfill Microsoft and IBM's promise to establish their specifications as royalty-free works with reasonable, non-discriminatory licensing. Judging by a recent letter to OASIS from IBM, the vendors are jockeying for position to do just that.

IBM's letter does not mention bringing WS-* in OASIS. Instead, it expresses concern that the SAML 2.0 effort is too broad and that identity federation should be addressed in a token-independent manner by another OASIS committee.

The OASIS SSTC chairpeople have replied to IBM, indicating they might welcome formation of a new OASIS technical committee to address broader federation issues, but want to continue to build out SAML 2.0 as planned. As the SSTC points out, SAML is becoming widely deployed by large enterprise customers, which are urging OASIS to unify disparate SAML-based approaches into a single framework. The SSTC is responding to these market forces and has devised a plan for meeting market needs within a short timeline.

But longer term, the industry needs Microsoft's Longhorn, IBM WebSphere, and future WS-* based offerings to interoperate with SAML 2.0 and address needs outside of SAML's scope. If IBM and Microsoft put WS-* components into OASIS in the near future, these works soon will have the blessing of an open standards community, and crossover work can occur with SAML 2.0. The convergence that customers demand can begin now.

Read more about security in Network World's Security section.