The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.).
If Web services are ever to fulfill even part of their promise, a solution has to be found to the problem of how you securely establish a person's or a service's identity. Establishing an identity is key to being able to take advantage of services and applications beyond a domain or firewall -- and that, after all, is the ultimate promise of Web services.
In this first part of a two-part column, we'll take a look at what federated identity is, its benefits, some of its underlying standards and where it is today. In the next column, we'll take a closer look at the standards and at the two big players in federated identity -- Microsoft and the Liberty Alliance.
What is federated identity?
Federated identity is a way to establish someone's identity across companies, domains and applications. The idea is that once that identity is established in one place, it can be carried across to other Web services. So complex transactions and applications can be used, without the person having to log into separate applications or services and information about that person can be carried across as well.
Howard Ting, Senior Product Manager specializing in federated identity issues for RSA Security, offers a simple example of federated identity in practice. Say a company outsources human resources functions to different vendors, such as one for a 401K plan, one for a health plan, one for a dental plan and so on. With a federated identity solution, an employee could log onto a single Web site, change 401K options, get health care reimbursement and file dental claims, without having to log into each service separately. Additionally, all the person's personal information would be available at each service, since each service has identified him properly via federated identity.
Services as well as individuals can be identified in this way, and so complex transactions and services can be built using Web services federated identity standards. Steven Van Roekel, Director of Platform Strategies for Microsoft, says that with federated identity, "You can take machines and applications and people and connect them together in ways never before possible."
Dwight Davis, software industry analyst for Summit Strategies, notes that the drive toward federated identity comes because of the increasing need to open company information and Web sites to those outside the company -- "an ongoing trend since the dawn of the Internet," he says.
How will federated identity be used in real-world applications? Microsoft's Van Roekel says it will be used to streamline outsourcing and will be especially useful in supply chain management, automating inventory and purchasing, and ultimately many other cross-enterprise applications.
How is it being used today?
Everyone predicts a rosy future for Web services using federated identity, but the present is not quite so pretty. In the long run, the only real solution is an overall industry standard, because proprietary solutions mean that people and services could have no single, federated identity. Instead, they would have separate identities for different Web services and partnerships.
To date, however, federated identity solutions are primarily proprietary, notes RSA Security's Ting, because as of yet, there is no single, agreed-upon set of federated identity standards.
For example, one way that RSA Security's ClearTrust passes a user identity from one entity to another is proprietary and requires ClearTrust on both endpoints. However, the software also includes a federated identity module that uses the Security Assertions Markup Language (SAML) to allow companies to manage federated identities with their business partners, and so unlike some other solutions, is also standards-based.
But even though proprietary standards are often used, federated identity has been making its ways slowly into corporate America. General Motors employees, for example, use a federated identity solution to get access to outsourced human resources services, such as health benefits and 401K plans. The solution is based on the Liberty Alliance set of federated identity standards.
A brief look at the standards
A number of different standards apply to federated identity, but there are three primary ones:
- SAML: This standard concerns itself with authentication and authorization. The current version is 1.1, but a major new version, 2.0, is due out this summer, and integrates more closely with the Liberty Alliance federated identity standards.
- WS-Federation (Web Services Federation Language): This is an attempt to build an overriding federated identity standard, to work in concert with SAML and other security standards. Prime movers behind it are BEA, IBM, Microsoft, RSA Security and VeriSign.
- Liberty Alliance: This is a set of standards for federated identity overseen by a group of companies called the Liberty Alliance.
There's been something of a standards war over federated identity, with the two primary camps being the Liberty Alliance on one hand and Microsoft and BEA, among others, and WS-Federation on the other.
Some say that competing standards has held back federated identity acceptance, but others say that the standards address two separate sets of problems. Who's right? We'll take a closer look at that and at what Microsoft and the Liberty Alliance are doing, in my next column.
Continues in Part Two
For related Articles and Commentary:
- Federated ID projects to rise in '04, study finds
- Identity, authentication key to Web services security
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. He can be reached at firstname.lastname@example.org.