Microsoft, Sun tiff puts users in bind

Nearly a year after promising to make their directory and single sign-on technologies work together, Microsoft and Sun have delivered little - a stalemate that exposes an industry rift over identity standards that is costing users money.

While the pair has agreed to some basic platform support, the work to integrate protocols for sharing identities among companies, so-called identity sharing, has stalled, according to sources. The fallout, users say, is complicating identity federation and adding costs as users hoping to connect with one another bear the brunt of integrating competing standards.

A clash of wills between Microsoft and Sun over identity standards has continued despite last spring's very public reconciliation between the vendors, which involved a $1.6 billion settlement related to patent and antitrust issues.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Nearly a year after promising to make their directory and single sign-on technologies work together, Microsoft and Sun have delivered little - a stalemate that exposes an industry rift over identity standards that is costing users money.

While the pair has agreed to some basic platform support, the work to integrate protocols for sharing identities among companies, so-called identity sharing, has stalled, according to sources. The fallout, users say, is complicating identity federation and adding costs as users hoping to connect with one another bear the brunt of integrating competing standards.

A clash of wills between Microsoft and Sun over identity standards has continued despite last spring's very public reconciliation between the vendors, which involved a $1.6 billion settlement related to patent and antitrust issues.

Sun is a major proponent of the Security Assertion Markup Language (SAML) standard, which has been adopted by users such as Boeing, Fidelity Investments and the federal government for its E-Authentication Initiative. Sun also supports the Liberty Alliance, a consortium of users and vendors it helped launch that is developing federation specifications. Those two protocols along with Shibboleth , an effort to create federated identity standards for Internet2, are merging in SAML 2.0, which is nearing standardization at the Organization for the Advancement of Structured Standards (OASIS) and was the focus of an interoperability test among 13 vendors at last month's RSA Conference.

Microsoft, along with its partner IBM, created a similar specification called WS-Federation and plans to support it this fall when it ships Active Directory Federation Services (ADFS), which lets an identity credential issued by one company be used across partner networks. The specification has not been submitted to a standards body, but at the RSA Conference, Bill Gates, Microsoft's chief software architect, called federation a milestone for the company's security efforts.

Sources close to the interoperability effort between the two say Sun is pressuring Microsoft to submit WS-Federation to OASIS for integration with SAML, much like the Liberty Alliance aligned with SAML 2.0.

"They are quiet on the idea or don't want to do it in a healthy way," says the source, who recalled Microsoft's adoption of Kerberos in Windows 2000 and the key tweak it made to the specification that tied it to Windows, which caused an uproar with users and Kerberos authors at the Massachusetts Institute of Technology. Microsoft used Kerberos as the foundation for its first attempt at federated identity.

Microsoft, while not discussing details of its work with Sun, is clear on its strategy.

"As for Liberty and SAML protocol support, we have no current plans to support those," says Michael Stephenson, Microsoft's group product manager for Windows Server. Microsoft supports the SAML security token format along with Kerberos for use with WS-Federation, but not the SAML protocol that manages the token exchange. "We remain optimistic that these protocols could come together with what we are doing with WS-Star," he says.

WS-* (pronounced WS-Star) is a collection of protocols for providing security and other services in a Web services environment, including WS-Security, an OASIS standard developed by Microsoft and IBM that ironically integrates with both Liberty and SAML.