Demo shows ID specs can coexist

SAN DIEGO - Despite technical differences among protocols for sharing identities across corporate boundaries, users will have at least three network configurations that will let the disparate protocols speak to one another.

Fourteen vendors - including IBM, Microsoft, Novell, Oracle, RSA and Sun - gathered last week at the annual Burton Group Catalyst Conference to answer the research firm's challenge to prove multi-protocol interoperability among their identity federation products.

The demonstration helped dispel user fears, experts say, that protocols for federating, or sharing, user identity and authentication information were on a divergent path that would cause major deployment headaches. Federation's promise is that partners can integrate their authentication systems and provide users with a single sign-on that stretches across corporate boundaries.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SAN DIEGO - Despite technical differences among protocols for sharing identities across corporate boundaries, users will have at least three network configurations that will let the disparate protocols speak to one another.

Fourteen vendors - including IBM, Microsoft, Novell, Oracle, RSA and Sun - gathered last week at the annual Burton Group Catalyst Conference to answer the research firm's challenge to prove multi-protocol interoperability among their identity federation products.

The demonstration helped dispel user fears, experts say, that protocols for federating, or sharing, user identity and authentication information were on a divergent path that would cause major deployment headaches. Federation's promise is that partners can integrate their authentication systems and provide users with a single sign-on that stretches across corporate boundaries.

"Users should have a bit more confidence that they can still move forward and gain benefits," says Gerry Gebel, an analyst with Burton Group who set up the test. "Any boost from the platform vendors is a boost for the legitimacy of federation."

While federation is just ramping up, Gebel says users building identity management systems must take it into account now or face costly retrofitting later.

The vendors in the test used their federation servers in a combination of three gateway architectures to swap user credentials formatted using the Security Assertion Markup Language (SAML) standard, the Liberty Alliance specifications, the Shibboleth protocols developed for Internet2 or the WS-Federation protocol developed by IBM and Microsoft.

Vendors have been promising for years that the protocols will ultimately converge, but that has not happened. Even versions of the SAML specification - 1.0, 1.1 and 2.0 - do not interoperate.

Without middleware to integrate the protocols, users are left to pick one and push that decision out to their partners.

"You don't like to play that card," said an IT architect with a major insurance provider. "We are large enough that if we adopt standard X, then we force everyone to follow."

But the IT architect said he would rather run everything through a third-party hub and let it map or translate dissimilar protocols, so he can avoid not only forcing technology on his partners, but also the inevitable headaches of integrating disparate technologies. "I want someone else to figure all that out," he said.

What the interoperability test showed is that there are three scenarios for integration: a multi-protocol hub; a multi-protocol translator; or a protocol integration technology called a Security Token Server (STS) based on the WS-Trust specification written by IBM and Microsoft.

The two industry heavyweights announced last week that WS-Trust would be turned over to a standards body in September, ensuring that it will eventually be a royalty-free standard available to all vendors. But WS-Federation, which was also developed by the two partners and is seen as a direct competitor to SAML, is still not in a standards body.