The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.).
Continued from Part One
Perhaps nothing is more important to the future of Web services than federated identity -- the ability to securely establish a person's or a service's identity and to share that identity across domains and enterprises. Establishing a unique identity is the key component in being able to take advantage of services and applications beyond a domain or firewall -- which is the ultimate promise of Web services.
In this second part of a two-part column, we'll look at the various protocols and standards underlying federated identity and at the two main groups involved in federated identity technologies -- the Liberty Alliance and a group spearheaded by Microsoft, BEA, IBM and others.
A look at the technologies
First a brief refresher: Federated identity can establish someone's identity across companies, domains and applications. Once an identity is established, it can be used with other Web services, enabling creation of complex transactions and applications without having to log into separate applications or services.
A variety of standards and specifications are involved in creating a federated identity. A big problem is that these standards and specifications don't necessarily work with one another. In fact, there are two warring camps, the Liberty Alliance; and a group spearheaded by Microsoft, BEA, IBM and others. The three main standards and specifications are:
- SAML: This authentication and authorization standard has been around for some time and so has already made its way into products, and is starting to be more widely used. The current version is 1.1, but a major new version, 2.0, is due out this summer and integrates closely with the Liberty Alliance federated identity specification.
- WS-Federation (Web Services Federation Language): This is an attempt to build an overriding federated identity standard and to build on the work done in creating SAML and other security standards. Prime movers behind it are BEA, IBM, Microsoft, RSA Security and VeriSign.
- Liberty Alliance This is a set of specifications for federated identity overseen by a group of companies called the Liberty Alliance, of which Sun was a prime mover and founder.
SAML will remain an underlying standard for authentication, no matter what happens with WS-Federation and the Liberty Alliance specification. But it's unclear what the future holds for the Microsoft-led camp and the Liberty Alliance, whether there will be a Darwinian struggle that will let the market decide between the two approaches, or whether they will ultimately make peace with one another. And while both sides try to say nice things about each other in public, they still make veiled references to how their proposals are superior to their competitors' and will ultimately win out. Here's a look at each side.
The view from Microsoft
Steven Van Roekel, Director of Platform Strategies for Microsoft, says that in the past, identities were always established via proprietary security mechanisms, for example using Kerberos security. The problem was in how to pass that identity along with its credentials and other information and move it around in a Web services scenario.
The WS-Security standard was one solution. It was developed to attach user credentials to a Web services message and is in the final stages of being finalized by OASIS. Microsoft ships a free toolkit for using it with Visual Studio, as part of the Web Services Enhancements (WSE) technology. Find it at http://msdn.microsoft.com/webservices/ and look for the link to Web Services Enhancements (WSE) 2.0 Technology Preview.
WS-Federation, Van Roekel notes, "is higher up the stack" than WS-Security, and will be used for creating federated identities. Microsoft is currently doing interoperability testing for the proposed standard. Microsoft expects that developer toolkits for it will soon be coming. And the company also emphasizes that the proposed standard is the result of a group effort between IBM, BEA, Microsoft and others, and is not being proposed by one company.
When contrasting WS-Federation with the Liberty Alliance specification, Van Roekel is positive about both, but to a certain extent he damns the Liberty Alliance with faint praise. He says that the Liberty Alliance specifications solves only the core scenario of when a consumer wants to opt in to interact with a Web site or group of Web sites, for example allowing an identity to be shared among business partners such as a bank and a travel company. He adds that "they tackle that one scenario," while the WS-Federation "is more general purpose -- a modular piece of technology not just for consumers but for corporate customers" as well. "Liberty bet only on SAML," he contends, "but what about Kerberos, or Verisign and others? You have to bring it all together and establish trusted relationships."
The Liberty Alliance speaks
As you might imagine, the Liberty Alliance and Sun don't agree with Microsoft.
"Liberty Alliance is the only global open body addressing federated identity business and technical issues, open to anyone to join," says Andrew Shikiar, Sun's group marketing manager for identity and the Liberty Alliance. "So it's the place to be when you're talking about federated identity. Liberty is an open effort and has already been adopted and is working."
For example, he says, the Radio@AOL service, which lets anyone access music streams on multiple devices such as telephones and home networks, uses the Liberty Alliance specifications.
"Analysts recommend that companies work with the Liberty Alliance now," he claims, "because WS-Federation is still years off."
Paul Madsen, manager of identity services with Entrust and Liberty Alliance member, adds that "a very broad spectrum" of companies have announced support for the Liberty Alliance federated identity specifications, notably companies in the "mobile space," including Nokia, Vodafone and Ericsson. Other companies such as General Motors are using it as well, he says.
Simon Nicholson, chairman of the Liberty Alliance's business and marketing group, takes a swipe at Microsoft and its partners. "Only one group is working in an open manner," he adds, while the other group (in other words, Microsoft, BEA, IBM and others) "is working only in their own organizations and at their own pace. Until those specifications are open standards where the community can work on them, they remain the property of that single company."
Where it's all headed
Both sides claim that they want to work with the other, but for now, there clearly remains bad blood on both sides. The overriding problem is that for federated identity to become a reality, as a practical matter there can't be competing standards. So who will win?
Do you believe the Liberty Alliance will win out because it is promoting an open technology that is already deployed? Or, do you believe Microsoft and its partners (WS-Federation) will inevitably win, because it solves a much larger problem than that solved by the limited nature of the Liberty Alliance?
Expect several years of bickering, but remember that Microsoft has an ace up its sleeve -- the next version of Windows, code-named Longhorn. That Windows version will include Web services technology as part of its underlying architecture, which Microsoft says will reduce the complexity of writing applications that take advantage of federated identity. With it so easy for developers to write the applications and users to take advantage of it, it'll be tough for the Liberty Alliance to ultimately win.
Who do you believe will win the federated identity race and why? Let us know! E-mail your comments to editor@SearchWebServices.com. Letters to the editor may be published on site.
For related Articles and Commentary:
- Federated ID projects to rise in '04, study finds
- Identity, authentication key to Web services security
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. He can be reached at email@example.com.
This was first published in March 2004