Skeptics of federated identity management say the technology is too young for widespread use; that countless legacy...
applications would have to be adjusted for everything to work right. Advocates believe it's is the best way to securely authenticate users and prevent online thieves from impersonating others while they commit cybercrimes. And with the development of standards like Security Assertion Markup Language (SAML) 2.0, they believe the technology's time has come.
SAML 2.0 passed a series of interoperability tests earlier this year and was approved as a formal draft last month by the Organization for the Advancement of Structured Information Standards (OASIS). Now, the Liberty Alliance -- a global consortium of vendors and end users working to develop open federated identity standards for Web services -- will start testing tools that incorporate SAML 2.0 this summer.
"People know SAML 2.0 has been around the corner, so they've held back from federating with new clients," said Roger Sullivan, vice president of Oracle's Identity Management Solutions division and chairman of Liberty Alliance's Conformance Expert Group. "But with this testing, you're going to see that logjam break free, because it will pave the way for more products that incorporate the standard."
Sullivan said testing will start in July. Two weeks after initial testing begins, the alliance will announce vendors whose products have passed the interoperability test.
The Liberty Interoperable Logo Program requires, among other things, that a vendor's product is compatible with at least two other vendors. When a vendor passes the test and signs Liberty's trademark agreement, the alliance issues it a logo. "The logo is issued to a specific version of a specific product -- not to the product family -- again offering buyer assurance that individual versions of products are indeed interoperable in a stated manner," the alliance said in a statement.
Jahan Moreh is a member of OASIS' Security Services Technical Committee, which has overseen development of SAML 2.0. He said Liberty Alliance's testing plans are an example of the two organizations working together to advance federated identity management. He agrees with Sullivan that demand is growing for the technology.
"There is a need among enterprises for vendors to have SAML 2.0-compatible products," said Moreh, who is also chief security architect of San Mateo, Calif.-based Sigaba. "In July 2002 there was an interoperability demonstration for SAML 1.0 at the Burton conference. That's when we realized something was missing… a specification for one party to communicate with another party." SAML 2.0 is the result, he said.
In the end, Moreh said the Liberty Alliance testing will be about more than vendors getting their products approved. "Conformance and interoperability testing lays the foundation for more standards improvement in the future," he said. "At this point, I believe SAML 2.0 is ready and that federated authority is ready to go. The technology is there."
He predicts federated identity management will be widespread among close business partners in the next two years. He believes it will quickly branch out among other partners in the two years after that.
At the InfoSec World conference in Orlando, Fla., earlier this month, Christopher Ceppi, business development director for Denver-based federated identity software and services firm Ping Identity Corp., said the technology is vital in an age where business is becoming increasingly virtual and decentralized. "With the Internet you need ID portability," he said. "That's what federated identity is about. And with the world we're in now, the technology supporting it is a reality -- mobile technology, decoupled systems."