Universal user IDs ease bond trading

NEW YORK – A consortium of the world’s top financial institutions is sharing user directories so customers can enjoy single sign-on access across their Web sites in an effort that is shaping up to be a blueprint for emerging universal user identification standards.

Under a program called the Bond.Hub consortium, Credit Suisse First Boston, Goldman Sachs, JPMorgan Chase, Lehman Brothers, Merrill Lynch, Morgan Stanley, Salomon Smith Barney and UBS Warburg have created single sign-on capabilities for 15,000 mutual customers seeking fixed-income investments by joining customer identities stored in their respective directories – a concept known as federating.

With Bond.Hub, a user who signs in on one private bond site can cross over to another institution’s private site, for which the user has an account, without having to enter a separate username and password. The hub operates in the background and synchronizes a user’s identities from each institution, and brokers the exchange of encrypted security credentials.

While standards to support universal identities for use across the Internet are just beginning to take shape, Bond.Hub shows that federating authentication and authorization credentials can ease the burden of administering identities and access-control data for internal users and business partners. Today, companies often have to administer those accounts manually or delegate administration to partners, both of which are labor intensive and don’t scale.

The proprietary Bond.Hub for federating identity is equivalent in concept to a proposed standard being developed by the Liberty Alliance, a consortium of corporations and vendors that released a specification in July for a Web-based universal identity.

The Bond.Hub effort also mirrors the goals of the Security Assertion Markup Language (SAML), an XML-based standard security protocol that the Organization for the Advancement of Structured Information Standards approved last week.

“Bond.Hub proves that the Liberty Alliance and SAML standards are not being defined in a vacuum,” says James Kobielus, an analyst with Burton Group and a Network World columnist. “It’s a proof of concept for federated identity with account linking and single sign-on. That’s a core-use case for Liberty Alliance.”

The Liberty Alliance specification, which incorporates SAML, seeks to establish a standard user authentication and authorization system that is valid across Web sites. Microsoft is working on a similar project with its Passport technology. Both projects will require not only a universal user identity but also standards for creating permissions and policies regarding access control, and contracts for spelling out obligations of trust and liability.

Bond.Hub is built on a hosted service from vendor Communicator, which uses its Hub ID product to link subsets of the user repositories of the eight bond houses. Former members of the electronic-commerce team at Salomon Smith Barney founded Communicator three years ago.

Bond.Hub provides two services: It synchronizes the directories of the institutions, and it acts as a proxy to match identities and pass encrypted credentials between the Web sites of the institutions.

The hub uses a proprietary protocol to synchronize user identities from the institutions in its directory, automatically adding users who establish accounts with two or more of the financial institutions or deleting users who settle on a single account with one institution.

The customers, who are looking for research reports and to buy and sell bonds, include pension fund organizations, investment management firms, banks, municipalities and individual investors.

In addition, the hub supports a proprietary security credential, called a cooked URL (CURL), and acts as a proxy that transports encrypted user identity information between the institutions’ Web sites and Bond.Hub. Standard credentials, such as Liberty Alliance and SAML, eventually could replace CURL, according to Communicator.

The hub maps the user’s identification from one site to the user’s identification at another site, which guarantees the institutions never see each other’s data. And end users need use only a toolbar that Bond.Hub adds to their browser for navigating between sites.

“Before Bond.Hub, users had to have IDs on each site; they had to log in to eight different sites,” says Mike Bassman, vice president of fixed-income analytics for Lehman Brothers. Bassman says single sign-on has increased traffic to the company’s Web site.

Lehman Brothers joined the Bond.Hub consortium early in 2001, the same year Institutional Investor named the company’s U.S. fixed-income research team No.1, and ranked its fixed-income trading No. 2. The Bond.Hub consortium began in 1999 with three institutions and a handful of customers.

But while Bassman lauds Bond.Hub, he says it’s had growing pains. Lehman spent nearly nine months linking to Bond.Hub, which is priced a $100 per user, per year.

“Keeping everything in sync with a proprietary protocol requires a bunch of code,” Bassman says. “We had to create custom feeds into our [Lightweight Directory Access Protocol] directory. We had to write code to feed Bond.Hub and sync the results through the entire system.”

While Bond.Hub shows the promise of creating standards to support federated directories and federated identities, it masks other complexities that will have to be addressed, including contractual matters of trust and liability.

“The Liberty Alliance and SAML standardize the problem of linking identities,” says Serge Shinkar, product manager for Hub ID at Communicator. “They provide a flexibility over CURL, but they don’t address policies that need to be in place among the business partners. They leave it up to the ID providers to manage trust and establish permissions.”

Shinkar says those are the services that Bond.Hub provides.

“The biggest thing is control: Who has control, who has ownership of the information,” he says. “You need an infrastructure that your information security people can trust.”