Digital Identity Standards

Digital identity federation requires a loosely coupled software architecture for automatically exchanging identity information between heterogeneous systems. Standards are essential for this process. We saw some of the foundational standards for this in Chapter 11. There are many more. Figure 12-1 shows the interrelationship among some of the various federation standards.

There are three primary groups creating standards for federation: an alliance between Microsoft and IBM, OASIS, and the Liberty Alliance.

In April 2002, Microsoft and IBM published a joint whitepaper outlining a roadmap for developing a set of web service security specifications. Commonly called WS-*, the specifications work in a modular fashion to build on each other to create an overall effect.[*]

The first jointly developed specification from IBM and Microsoft, WS-Security, offers a mechanism for attaching security tokens to messages, including tokens related to


identity. The roadmap described in the 2002 whitepaper included other specifications that support web services.

WS-Policy is a language for describing the security policy of a particular web service. For example, WS-Security can use several different security token systems such as SAML assertions or Kerberos tickets. Using WS-Policy, a web service might specify that it accepts SAML 1.1 assertions but not Kerberos tickets.

WS-Trust is a language that allows services to some trusted authority that one token be exchanged for another. This action is the basis for federation, because essentially what's happening is one site's security token is being exchanged from an equivalent one on the other site.

WS-Federation orchestrates the WS-Trust interactions to allow different security domains to federate by brokering trust of identities, attributes, and authentication between participating web services.

There are many other specifications in the WS-* constellation. Each attempts to solve a particular problem in web services interoperability.

OASIS, the Organization for the Advancement of Structured Information Standards, is a not-for-profit, international consortium that produces e-business standards.[*] OASIS has published several important web services standards including SAML, SPML, and XACML. SAML is widely used as an identity standard in web services and, as shown in Figure 12-1, is the foundational standard for much of what's happening in federation. Our discussion of SAML in Chapter 11 highlighted use cases that showed how SAML can be used to federate identity between the web sites of an airline and a rental car company. Other standards in the figure create a context for web sites to exchange SAML tokens to enhance interoperability.

The Liberty Alliance is a consortium of 170 companies that develops specifications for federated identity management.[*] It originally envisioned creating a single comprehensive federated identity specification. In March 2003, however, it released a new blueprint that described three separate specifications that can be used together or independently:

Identity Federation Framework (ID-FF)

Allows single sign-on and account linking between partners with established trust relationships

Identity Web Services Framework (ID-WSF)

Allows groups of trusted partners to link to other groups, and gives users control over how their information is shared

Identity Services Interface Specifications (ID-SIS)

Will build a set of interoperable services on top of the ID-WSF

One federation standard not shown in Figure 12-1 is Shibboleth, the identity architecture project of Internet2.[] Internet2 is a coalition of U.S. universities building a next-generation Internet. Shibboleth, which is based on SAML, enables single sign-on and federated administration of access to restricted resources. The user's site and the target site negotiate based on attributes (e.g., faculty member at a particular school, student in a particular course) rather than the unique identity of the user, an approach designed for active privacy management.

So where do these standards all lead? At this point, it's not clear. While there is overlap among standards from each group, each was begun with a slightly different problem set in mind. It's clear that the OASIS standards are being adopted and used by both the Liberty Alliance and the IBM/Microsoft consortium. What's less clear is whether or not the Liberty standards and the WS-* standards will converge and, if so, how. The market and how users adopt the various standards will make the final decision.

This uncertainty needn't be a barrier for most organizations, however. Most of the products I've looked at support multiple protocols. The products will adapt as the standards change, and in many cases, your application will not be dependent on the specifics of the standard. My advice is to press forward, keeping a wary eye on the standards process and being careful about limiting your specific dependencies on any of them.