Found in translation

Getting different identity systems to talk together is not so hard anymore

A recent consolidation of identity standards and the launch of the General Services Administration's governmentwide single sign-on program could mean that 2006 will finally be the year in which federated identity begins living up to its hype after several years of stalled progress.

Federated identity enables people to access a large range of electronic services across government and corporate organizations by signing on to systems using one identity. It's considered crucial to the development of online services. Without it, people would have to register their IDs and passwords on every online site.

But with a half-dozen or more different and incompatible standards for sharing identities, most organizations have been reluctant to develop federated identity programs because of the cost and complexity of supporting so many protocols.

Observers say all those standards now seem to be converging toward just two: SAML Version 2.0, the latest version of the Security Assertion Markup Language developed by the Organization for the Advancement of Structured Information Standards (OASIS), and WS-Federation, a Web services protocol developed by IBM and Microsoft.

The standards convergence should make it much simpler for organizations to take the federated plunge. For example, GSA has already backed SAML Version 1.0 as the initial standard for its decentralized E-Authentication identity management system and expects to eventually replace that with SAML 2.0.

The reality, however, is most agencies that opt for a federated system will probably be living in a multiprotocol world for a number of years.

"My sense is that those users looking to push federated identity are favoring SAML 2.0, but it always takes industry some time to move forward on these things," said Gerry Gebel, a senior analyst at the Burton Group. "Those running SAML 1.0 and such things as the Liberty Alliance protocols will take time to upgrade."

The Liberty Alliance is a project of more than 150 companies and nonprofit organizations worldwide that have been collaborating on open federated identity standards.

Even if the standards choice boils down to SAML 2.0 or WS-Federation, which Steve Anderson, a product architect at BMC Software, said he believes it will, different implementations of those standards will likely exist.

"I think we have to face the fact that we'll have to deal with differing protocols for some time," he said.

Organizations that want to deploy a federated identity solution soon must figure out how to set up their systems to operate with other organizations and identity systems.

Leading options

The Burton Group addressed the interoperability problem during a demonstration at a conference in July, in which vendors participated in a challenge to show that their products could provide multiprotocol interoperability.

The participants ran those demonstrations through three middleware architectures, including:

  • A multiprotocol hub, which speaks all of the different kinds of protocols that the organizations it links to are likely to use.
  • A multiprotocol translator, in which identity messages described by the sender of identity information using one protocol are translated into the protocol used by the receiving organization.
  • A protocol integration system using a security token server (STS), which issues security tokens, such as unique digital signatures. Identity information senders and receivers can trust the tokens and use them to handle traffic involving WS-Federation.

Although those three configurations were chosen for demonstration purposes only during the event, they may be the way most organizations deploy multiprotocol systems, Gebel said.

Each has its strengths and weaknesses.

A multiprotocol translator, for example, is probably best used in organizations that already have a single protocol federated system in place and don't connect to more than a few other organizations using different protocols.

But because each protocol has a different set of features for enhancing data sharing, some functionality is bound to be lost in translation.

"With translating from one protocol to another, you have to look at the [feature] subsets involved," said Felix Gaehtgens, vice president of sales and marketing at Symlabs, which sells identity management solutions. "You are always losing out on something, the question is if what you are losing is relevant."

A multiprotocol hub, on the other hand, supports all the possible protocols that an organization's partners are likely to use. That eliminates translation losses. But depending on how many protocols or variations of those protocols the software has to support, it can become complex. And complexity adds cost because of the necessary maintenance issues.

However, the hub architecture can start simply and then build to a more complicated system as needed.

"People should look at a hub as the end game rather than the beginning," said Atul Tulshibagwale, founder and chief executive officer of Trustgenix, another single sign-on solutions provider. "Agencies could set up as a hub to manage their own internal users but can start out as a spoke rather than a full-blown hub with outside credential providers."

Most agencies will probably begin their federated identity existence as limited service providers and as spokes, issuing credentials only for their users, he said. Some will then become a full-blown hub as their federated role expands, and they become both service and credential providers for other organizations.

The Labor Department's Mine Safety and Health Administration is building a federated identity system in that way. It will start as a service provider for its majority stakeholders, such as mining companies that need to file electronic documents, said Tim Klug, an MHSA enterprise architect. But in the future, it will share system resources with other agencies.

The system will also be useful for doing business with other government agencies.

"Virginia has a mapping system that's of interest to us, for example, and we'd like to share data with them and get system access," Klug said. "The federated identity system provides an easy way to share authentication of users."

Tulshibagwale said he expects most agency Web sites to eventually become hubs that connect to other hubs as service and identity providers in a meshed federated identity universe.

The third federated identity integration option, the STS-based system, probably is not a major technical stretch for most users because it would simply require another network resource to negotiate protocol exchange and format translation for Web service messages between partners.

Any STS problems are likely a product of Microsoft and IBM development that has an unknown future as far as standardization is concerned. Whereas SAML is part of a fully open standardization effort under OASIS, with participation by all of the leading providers of federated identity solutions, IBM and Microsoft have traditionally kept details of their standards' developments close to their chests.

Nevertheless, the federated identity vendors that support SAML 2.0 most likely will also support WS-Federation specifically to interoperate with the Active Directory Federation Services, which will be a major part of Microsoft's next release of Windows Server 2003 in December, said Patrick Harding, vice president of technology at Ping Identity, which sells federated identity solutions.

New GSA service bridges ID differences

For government agencies wanting to jump-start their federated identity projects and begin accepting electronic credentials from other trusted partners, the General Services Administration's E-Authentication Federation may be the answer.

GSA launched the service in August after several years of testing products and standards. It will use a multiprotocol translator to bridge participants' use of different identity protocols.

"So far we only have a very small number of applications and credential suppliers [using the service], but we fully expect these to build up over time," said Steve Timchak, the program's manager.

GSA is allowing agencies to take advantage of the federation through the federal enterprise architecture. To join the federation, Timchak said, agencies have to adopt and install whatever schemes and protocols GSA approves, such as the Security Assertion Markup Language (SAML) 1.0 protocol.

The other requirement is that agencies agree to GSA's operational and business rules for the federation.

"It's been very interesting getting people to agree on all of this," Timchak said. "It requires [agencies] to use applications and credential service suppliers that they don't own, and that's something entirely new for them."

The federation will adopt SAML 2.0 when there are enough commercial products to support it, he said. Meanwhile, Timchak said, it's understood that participants in the federation will need to interoperate with organizations that use different protocols, hence the protocol translator, which could be provided as a service of the federal enterprise architecture.

-- Brian Robinson

Key federated identity standards
  • Security Assertion Markup Language (SAML). SAML 1.0 was ratified by the Organization for the Advancement of Structured Information Standards (OASIS) in 2002. However, it lacked features that the federated identity universe has come to expect in solutions, such as being session-oriented and allowing users to log out once from multiple sites they are visiting. SAML 2.0, which was released this past summer, now includes those features, along with such things as the identity federation framework included in SAML 1.1.
  • Liberty Alliance. The Liberty 1.2 protocol has features similar to SAML 1.1. The earlier Liberty 1.1 was developed to overcome the limitations of SAML 1.0, such as global log-out. The Alliance donated Liberty 1.2 to OASIS for inclusion in SAML 2.0.
  • WS-Federation. IBM and Microsoft, along with RSA Security, BEA Systems and VeriSign, introduced WS-Federation in 2003. With the WS-Trust and WS-Policy specifications, it constitutes a federated identity framework. So far, WS-Federation has not yet been submitted to any independent standards body, though experts expect that it will be.

-- Brian Robinson

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above