News Stay informed about the latest enterprise technology news and product updates.

Liberty Alliance defies critics and delivers specification

Contrary to Microsoft's oft-stated predictions, the diverse members of the Sun-led Liberty Alliance Project has succeeded in agreeing on a specification for open, federated network identity services.

To the surprise of its detractors, this week the Liberty Alliance Project released version 1.0 of its open, federated network identity specification. When Sun Microsystems signed up 32 business partners – including Bank of America, General Motors and United Airlines, as well as the usual technology and telecommunications companies – to create the Liberty Alliance Project in September 2001, the partners' emphasis on openness and federation in network identity was seen as a direct challenge to Microsoft's centralized rival initiative, Passport.

Sun has consistently sold this federated model as a benefit to financial institutions and others wary of having to compete with Microsoft as a data repository. Microsoft, though, insisted that no Liberty spec would ever see the light of day.

"I think it has zero probability of mattering in the real world," Steve Ballmer told the Gartner Symposium in October – a quote that so impressed Sun EVP Jonathan Schwarz that he pasted it to his desktop to inspire him through months of work on the specification he has delivered at last.

Context: Sun may have been the instigator of the Liberty Alliance, but United Airlines, and in particular CIO Eric Dean, appear to have been the prime movers behind this specification. Unfortunately, a family emergency prevented Dean from attending the spec's launch in San Francisco to accept the credit that is his due. United CTO Rob Robless had to stand in for his colleague.

Robless argued that the Liberty Alliance specification exists to solve three problems in network identity: first, consumer acceptance of doing business over the Internet; second, the ability for businesses to form partnerships online; and third, the ability for businesses to provide their employees with ways of interacting with legacy systems. In fact, it is the third pressure that seems to be driving most of the interest in and growth of network identity services in general.

Technology: Rather than reinvent the wheel, the Liberty Alliance members hoped to leverage as many existing standards as possible. They had five main goals for the specification: optional account linking, simplified sign-in, authentication context to allow different entities to provide the same levels of authentication to shared customers, global logout, and a software client for wireless devices.

The architecture described in the specification consists of three components. First, there's Web redirection, which harnesses both HTTP redirects and the ability to post forms. The Alliance members decided not to use cookies because so many Web users treat cookies with suspicion, limiting them to the website that wrote them or turning them off altogether. Web redirection isn't an ideal distributed systems architecture by any means, but it does enable distributed, cross-domain interactions like single sign-on using only standards that are already in place.

The second architectural component of the Liberty Alliance spec is Web services, simply defined as RPC-like protocol messages conveyed via SOAP.

The third and final component consists of metadata and schemas, an umbrella term that encompasses three subclasses: account/identity, which is simply the user handle; authentication context, a way for identity and service providers to communicate information about the specific authentication mechanisms they are using; and provider metadata, a way for identity and service providers to communicate information about themselves.

Using these three components in well-described, standard ways should enable Liberty Alliance members to offer identity federation, single sign-on and single logout across their shared customers.

A United frequent flyer could, for example, opt to federate that identity with his or her status as a member of Hilton Honors or the Hertz #1 Club. Mercifully, if any of these corporations abuses the privilege, the customer can also opt to unfederate his or her accounts. Simple opt-out is, however, no guarantee against the abuse or misappropriation of shared personal information, and consumers may still be wary of Liberty identity services.

Products: Seven companies have agreed to deliver products based on the 1.0 specification. They are Communicator, Entrust, NeuStar, Novell, OneName, RSA Security and (inevitably) Sun. Communicator plans to add Liberty Alliance to its Hub ID service, used by Wall Street firms to provide single sign-on for extranets. Entrust hopes to integrate Liberty Alliance with the GetAccess component of its Secure Web Portal.

NeuStar will provide neutral third-party meta-directory and clearinghouse services. Novell unveiled Project Saturn, which uses the 1.0 specification for secure identity information exchange. OneName will add Liberty to its Identity Server, and RSA will use it in authentication, Web access management and single sign-on products. (Editor's note: Sun followed up the announcement by releasing a suite, called the Sun ONE (Open Network Environment) Platform for Network Identity, to establish levels of user access to Web sites.)

Competition: Obviously, the Liberty Alliance Project's main competitor is Microsoft's Passport scheme. For all Microsoft's bravado, it's clear that Sun and its partners have worked hard and well to come up with a specification in a comparatively brief time. In particular, involving user organizations as well as technology companies in the standards-setting process bodes well for the spec's acceptance by industry (if not by consumers themselves, whose interests are strikingly underrepresented). It's a notable achievement, even if it is not, as one analyst at the launch suggested, the most exciting thing ever to happen in computing.

On the other hand, Microsoft's main partner in network identity and Web services security is IBM, and the combination is a formidable one. The partners joined forces earlier this year to write a WS-Security specification. With Sun among its other sponsors, WS-Security has been submitted to the standards group OASIS.

IBM's Bob Sutor told the451 that he sees WS-Security as a superset of the network identity problem. Passport and Liberty may end up fighting it out for the role of a network identity standard within WS-Security. "What I'm hoping for in the long run, to tell you the truth, is that all of this security work gets consolidated over in OASIS," he said.

The451 Assessment: The Liberty Alliance members, and in particular the United Airlines contingent, evidently moved heaven and earth to get a network identity specification written and published, and they deserve credit for their achievement. Whoever defines a network identity standard will be first to market with compliant technologies. Sun evidently hopes Liberty will be that standard, and that selling network identity software to companies anxious to secure their e-business will be immensely profitable.

The451 is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service, click here.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.