Liberty Alliance, the consortium for developing open standards for federated identity, interoperable authentication and identity-enabled Web services, insisted today that its SAML 2.0-based identity standards are not just for enterprise applications.
During a teleconference, Web services architects from Nokia Corp. and Sun Microsystems Inc. demonstrated device-independent, client-side consumer applications using the Liberty Enhanced Client Profile (LECP). It is Liberty's version of the ECP spec in the OASIS standard SAML (Security Assertion Markup Language), explained John Kemp, a technical architect at Nokia working on Web services projects for personal identity services using the Liberty technology.The upshot is that Liberty is pushing SAML as device-independent and able to work in any sort of computing environment, a service-oriented identity standard if you will.
LEPC is based on Liberty standards including Identity Federation Framework (ID-FF) and Identity Web Services Framework (ID-WSF) 2.0.
LECP enables "user-centric" identity, which Kemp defined as allowing the user to determine what personal identity information they want to provide to an online merchant in a Web services consumer application.
Using a simple example of how this would work in a transaction, Kemp said that a fictional user named Lois would need to disclose her date of birth to use an online horoscope service from her cell phone. This could be handled by sending a SOAP message containing her LECP identity information. If she then chose to subscribe to a daily horoscope service sent to her cell phone, she would have to choose to send credit card and billing details that could also be done using LECP.
Working for Nokia, Kemp used cell phone examples, but sought to stress the fact that unlike Microsoft's InfoCard, which is Windows-based, the Liberty technology is device independent.
"Personal identity services can be user-centric regardless of where they are located," Kemp said.
In answer to a question at the teleconference from a developer working with the Microsoft InfoCard, Kemp acknowledge that with the device independence the standardized user interface that Microsoft is able to provide via Windows is not possible. He said it would require 160 companies to agree on a single interface and it would still be difficult to produce the same look and feel ranging from a desktop PC to a cell phone or PDA. Yut he said the cues the user is given for providing identity information using LECP is basically the same in all applications. He characterized it as being similar to using various TV remotes. They may not all have the same appearance but it is easy to find the on button since you know it has to be there.
Hubert LeVanGong, a federated identity architect at Sun, demonstrated more complex applications of LEPC showing how a Web services applications from the Department of Homeland Security and the California Department of Motor Vehicles could authenticate a users identity. He also demonstrated credit union and a wine merchant applications using the Liberty standard. A Java applet creating SAML assertions and SAML artifacts provided identity verification as well as banking access and credit card and billing information from a Web browser.
In keeping with Liberty's own assertion that this technology is ready for commercial Web services applications today, the Sun architect said, "Liberty provides all the tools you need to do user-centric identity authentication."
He stressed that with Liberty the user controls who gets sensitive information by allowing them to pick and chose what information goes to a Web services application.
"This is putting the user back in control of his identity," LeVanGong said. "Services providers only get the information users want to give."