User companies pilot Liberty spec

After more than a year spent crafting a specification, the Liberty Alliance Project now has some of the largest end-user companies and banks in the U.S. putting its work to the test in an effort to see if Liberty can deliver on its promise of a federated identity management system.

General Motors, a founding member of Liberty, is testing the specification by incorporating it into security software for its employee intranet called MySocrates to provide users a single ID for accessing internal human resources data and external Web sites for 401K and health benefit services. The company also is evaluating Liberty as the foundation for a universal authentication service for its network of 10,000 supplier partners.

“We hope any early successes will galvanize the industry around identity management and show the industry how it should move forward,” says Rich Taggert, director of enterprise architecture and IT standards for GM’s global technology management group. Also, a collection of the largest cash management banks in the U.S. is working with consulting firm Niteo Partners, another Liberty member, to create a network for sharing data secured by Liberty-based identity services. The firm also is working with the Bond Market Association, a trade group representing the $17 trillion global debt markets, to build a Liberty-secured data portal this year for bond dealers to do everything from find new issues to resolve post-trade disputes.

All three efforts are important proving grounds for the 150-member Alliance, whose membership has grown by 500% since its inception in September 2001. The group published its 1.0 specification in July and a 1.1 update appeared in November.  A 2.0 release is scheduled for the middle of this year that will added a permission framework to provide important privacy controls.

The specification, which has already seen support in products from vendors such as Entrust, Novell, Oblix, Sun and RSA, details how to create a re-usable user authentication token for use across Web sites. A key feature is the support of the Security Assertion Markup Language (SAML), an XML-based standard for exchanging user identity information.

Liberty’s efforts are similar to Microsoft’s Passport single sign-on service, which it is trying to adapt for corporate use.

GM has deployed Web Access Management products, which it declined to identify, that support the Liberty specification as part of its MySocrates intranet.

“We see the potential for enormous internal cost savings on things like password management and the help desk,” says Taggart.

But the company also is exploring Liberty for support of a system that extends across company boundaries. “We will never have agreement [with partners] around one identity model, that’s why we need a federated system,” says Taggart.

GM is now asking vendors to detail plans for support of Liberty and SAML in any product pitches they make to the company.

“We won’t throw out existing products, we want them updated with Liberty and SAML,” says Taggart. The company also is asking two of its largest technology vendors, IBM and Microsoft, to get involved.

“The biggest barrier I see to acceptance of Liberty is that Microsoft and IBM are not on-board,” says Dan Blum, an analyst with the Burton Group. Blum says the technology also suffers from the lack of a mechanism to create trust relationships between companies.

Some of those solutions begin with version 2.0, which focuses on wiring together islands of Liberty Alliance users to create a mesh of trust.

“I expect to see continued progress from Liberty this year and some in-house projects, but because of the barriers I don’t think we’ll see a tsunami wave of adoption,” says Blum, who thinks Liberty will remain a gateway service for the near future before being added natively to applications.

But one firm hopes end-user projects will mature the specification through real-world implementations. Niteo Partners is building a proof-of-concept network with the Financial Services Technology Consortium and a collection of cash management banks using Liberty-based authentication services to support a multi-bank reporting application. The application is a series of Web services that allows a company’s primary bank to aggregate data from other banks the company conducts business with in order to evaluate the company’s cash positions. Liberty credentials authenticate users across the banks and will eventually provide permissions to control access to data.

Today, the data collection is done using expensive private networks, according to Michael Versace, national director of financial services for Niteo.

“We hope to learn a lot about interoperability around Liberty and SAML and find out if they provide enough semantic information to allow services to execute,” says Versace. “We want to see if we can build in enough knowledge so that the service can trust the [Liberty identity tokens].”

Versace then hopes to feed those practical implementation lessons back into the Liberty development cycle to improve the specification and avoid the pitfalls of other efforts to create security services, namely Public Key Infrastructure.

“PKI was a technology phenomenon,” he says. “ It took too long for business applications to take form. We understand that issue now and we want to get business needs aligned with the technology earlier.”