The big event at the recent Catalyst Conference was the unveiling of the Liberty Alliance project's first specification - at least if you judge by the number of reporters present at the press conference. I was finally able to get a copy of the spec, though, which we'll talk about in a future issue. We have also solved the problem of how the spec was agreed to so quickly by the dozens of companies involved.
First, much was simply not specified but left to the discretion of the companies. While this got the spec out quickly it will most likely mean long drawn-out sessions creating the partnership agreements necessary to develop the " circles of trust " within which the Liberty program operates.
The second thing that helped speed the specification process was the agreement by the Liberty participants to simply adopt the work of the Security Assertions Markup Language (SAML) technical committee of OASIS. That was probably the best thing Liberty could have done.
Right after the Liberty Alliance press conference (which demonstrated little and took no questions), the SAML people showed off its first version of the authentication specification - it demonstrated it in action and weren't afraid to take questions.
SAML set up a test bed of more than a dozen participants (including Baltimore Technologies, CrossLogix, Entegrity Solutions, IBM, Netegrity, Novell, Oblix, OverXeer, Quadrasis, RSA, Security, Sigaba, and Sun) to demonstrate the interoperable authentication that the SAML spec enables.
Not only authentication, though, but graded authentication. What was demonstrated showed three levels of authentication (although it looked like three levels of authorization to me). A real world analogy could equate the levels to Read Only, Read-Write and All Rights.
The group demonstrated single sign-on capabilities with authentication taking place at multiple sites. That is, once you have federated your accounts at multiple sites and identified a primary " identity provider " choosing the SAML-enabled logon at any of the sites brings up a logon dialog box which authenticates to the identity provider. In contrast, the Liberty spec requires that you visit the identity provider, logon there and only then could you go on to another site within that identity provider's " circle of trust. "
If that wasn't enough, on the day following the SAML demonstration Microsoft promised to support SAML in the upcoming release of .Net server (see story at: www.nwfusion.com/news/2002/0716msla.html). While it's still unclear exactly how Microsoft will provide this support - it will be an add-on, coming after .Net server ships - it does bode well for almost universal acceptance of the authentication mechanisms. Significantly, Microsoft had nothing to say about the Liberty Alliance spec.
We'll continue to follow SAML's developments - not because its integral to directory services, but because it interacts with the directory so much. Next issue, though, we'll return to pure directory " stuff. "
RELATED LINKS
Dave Kearns is a writer and consultant in Silicon Valley. His most recent book is "Peter Norton's Complete Guide to Networks" published by SAMS. Dave's company, Virtual Quill, provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more at Virtual Quill or by e-mail at info@vquill.com
Directories archive
Past newsletters.
