Skip Links

Microsoft, IBM identity plan criticized

Sun, Oracle, Nokia and France Telecom among those objecting

By , Network World
May 02, 2007 04:15 PM ET

Network World - A protocol developed by IBM and Microsoft for standardizing the sharing of user identities between companies was turned over to a standards body on Wednesday amid controversy that it overlaps with similar protocols already recognized as standards.

The Organization for the Advancement of Structured Information Standards (OASIS) says it has created a committee to guide Web Services Federation Language (WS-Federation) version 1.1 through the standards process.

Procotol work stirs controversy
The Organization for the Advancement of Structured Information Standards (OASIS) has agreed to put Web Services Federation Language (WS-Federation) on a standards track, but critics say it overlaps work already done in the Security Assertion Markup Language (SAML) 2.0.

April 2002 Microsoft, IBM, VeriSign proposed WS-Federation as one part of larger Web Service Security architecture.
July 2003 WS-Federation 1.0 published.
March 2005 SAML 2.0 specification approved by OASIS.
May 2005 Burton Group report highlights benefits of converging browser-based federation models in SAML 2.0 and WS-Federation.
December 2006 WS-Federation 1.1 published.
March 2007 OASIS proposes charter for WS-Federation technical committee.
April 2007 Critics air objections to OASIS charter, including Nokia, France Telecom, NTT, Sun and Oracle.
May 2007 WS-Federation technical committee launched.
Click to see: Protocol work stirs controversy

The protocol, one of many in the WS-* stack of security protocols, lets companies share identities and security tokens. IBM and Microsoft developed WS-Federation in 2002 along with a number of other proprietary Web Services protocols using the “WS” naming convention. Many, such as WS-Trust, has been turned over to standards bodies, but others, such as WS-Transfer have not.

The WS-Federation specification has dependencies on both those protocols in order to function properly.

Critics of the move to standardize WS-Federation say the protocol overlaps work already done by OASIS as part of the Security Assertion Markup Language (SAML) 2.0 specification, most notably browser-based federation as part of WS-Federation’s Passive Requestor Profile. SAML 2.0 was standardized by OASIS in 2005.

Those same critics also are concerned with WS-Federation’s dependency on protocols such as WS-Transfer that are not yet standards.

“With the proposed scope, it would appear that the inevitable result can only be unfortunate duplication of existing SAML 2.0 functionality, with the consequent complexity and cost eventually assumed by technology customers,” Paul Madsen of NTT's Information Sharing Platform Laboratory wrote in a comment to OASIS on the formation of the WS-Federation technical committee.

Sun, Oracle, Nokia and France Telecom also raised objections.

“There is some redundancy and overlap at this point that we think is a bit confusing to the marketplace and we would like to see that more clearly defined in the work of this new OASIS technical committee,” says Gerry Gebel, an analyst with the Burton Group. “They have the opportunity to address this issue because OASIS is the home of SAML. We have seen previously where SAML 1.x and Shibboleth and Liberty Alliance ID-FF came together under that umbrella.”

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News