- The Liberty Alliance next week will announce two new draft specifications and for the first time turn over a portion of its work to a standards group providing the first evidence that efforts to create a standards-based identity management framework may be fragmenting.
Liberty will announce at next week’s RSA Conference that the first phase of its work, which was completed in June 2002 and updated in January, will be turned over to the Organization for the Advancement of Structured Information Standards (OASIS). The first phase, which was renamed Identity Federation Framework (ID-FF) in March, is basically Liberty’s Version 1.1 specification that outlines single sign-on and account sharing between partners with established trust relationships.
The Liberty move may be a reaction to IBM and Microsoft, who are not Liberty members, but are trying to create their own federated identity management framework built on WS-Security, an evolving web services standard they created and submitted to OASIS.
"I fear that the IBM/Microsoft Web Services Security Group and the Liberty Alliance have passed the point of no return in that they can no longer get together and create a common model for federated identity," says Dan Blum, an analyst with the Burton Group. "Above WS-Security, they are not sharing similar components."
Draft specifications for Liberty’s second and third phases of work, which now incorporate the WS-Security protocol for securing web services messages, also will be introduced at RSA and will outline how to build a permission framework and sets of services for user identities that can be shared across the internet. The second phase of Liberty’s work, called Identity Web Services Framework (ID-WSF), will allow islands of trusted partners to link to other islands of trusted partners and provide users with the ability to control how their identity information is shared. Phase 3, called Identity Services Interface Specifications (ID-SIS), will build services on top of ID-WSF.
The two draft specifications are not being submitted to OASIS at this time but will be opened to the usual public review.
"I think it is significant that Liberty is ready to open up to a wider world than its own group," says Prateek Mishra, co-chair of the Security Services technical committee at OASIS and director of technology and architecture at Netegrity, a Liberty Alliance member.
Liberty’s Version 1.1 specification will become a foundation document to help create Version 2 of OASIS’s Security Assertion Markup Language (SAML), according to sources. SAML 1.0 is a standard for exchanging authentication and authorization information and is incorporated into and extended by Liberty’s Version 1.1. The hope is that ID-WSF and ID-SIS will eventually extend SAML 2.0 to create a single standards-based environment for federated identity and sharing of identity credentials.
Work on SAML 2.0 will begin at the end of June, according to Mishra.
Handing Version 1.1 over to OASIS is a milestone because Liberty, which has 160 members, is now fully aligned with SAML and OASIS after claiming previously that it was a de facto standards organisation.
Liberty’s change of heart may be a preemptive strike in a developing clash with Microsoft and IBM, which have combined to create a palette of web services specifications. The duo’s work has lead to some clashes with other standards efforts, including those for reliable messaging and business process workflow.
The Microsoft/IBM tandem is working on a specification, called WS-Federation, for brokering and creating trust between partners in a federated environment similar to ID-WSF.
WS-Federation is a module the tandem is developing for WS-Security and is one of six extensions to WS-Security, including WS-Policy and WS-Trust that were introduced in December, that now squarely overlap with Liberty and its commitment to build higher level identity services by extending SAML.
With Liberty also incorporating WS-Security into its base specifications, it is now clear Liberty and IBM/Microsoft are starting from the same point, but taking divergent paths toward identity management.
"Within the next family of specifications the Liberty Alliance has made use of WS-Security," confirms Michael Barrett, president of the Liberty Alliance management board and vice president of Internet technology strategy at American Express.
"But at the Alliance we don’t have the not-invented-here syndrome. We feel an open-end consortium is better than the proprietary approach."
In March, the Alliance created a new blueprint of its work that broke Liberty’s monolithic specification into three components of identity management that can evolve separately and be used together or independently. That blueprint allows vendors to implement the technology as it is created instead of waiting for one monolithic specification. The blueprint also allowed Liberty to submit just a portion of their work to OASIS.
"As our thinking evolved we realised that network identity was a set of components," Barrett says.
The component approach is much the same approach that Microsoft and IBM are taking as part of their WS-Security roadmap, introduced in April 2002.
The new Phase 2 Liberty draft specification component, ID-WSF, which was previously called Version 2.0, will complement ID-FF. The Phase 3 specification, ID-SIS, will build a set of interoperable services like registration profiles, contact books, geo-location or alert services on top of the ID-WSF. The first ID-SIS will be ID-Personal Profile, which will define a basic profile template that can be used to build a registration service.
The two draft specifications will include some 20 new features and capabilities. Liberty hopes to have final drafts later this year.
Liberty also plans an interoperability demonstration at the RSA Conference next week with some 18 vendors that have implemented Version 1.1 of the Liberty specification, including Novell, Sun, Ericsson and Communicator.