- After more than a year spent crafting a specification, the Liberty Alliance Project now has some of the largest end-user companies in the US testing it to see if Liberty can deliver on the promise of a federated identity management system.
A founding member of the alliance, General Motors, is testing the specification by incorporating it into security software for its employee intranet called MySocrates. The Liberty-enabled software gives users one ID for accessing internal human resources data and external websites for 401(k) and health-benefit services. GM also is evaluating the Liberty Alliance specification as the foundation for a universal authentication service for its network of 10,000 supplier partners.
"We hope any early successes will galvanise the industry around identity management and show the industry how it should move forward," says Rich Taggart, director of enterprise architecture and IT standards for GM's global technology management group.
A collection of the largest banks in the US is working with consulting firm Niteo Partners, another alliance member, to create a network for sharing data secured by Liberty-based identity services. The firm also is working with the Bond Market Association, a trade group representing the $US17 trillion global debt markets, to build a Liberty-secured data portal this year for bond dealers to do everything from find new issues to resolve post-trade disputes.
Each of these efforts is important proving ground for the 150-member Alliance, whose membership has grown sixfold since its inception in September 2001. The group plans its 2.0 release of the specification for mid-2003, which would add a permission framework that provides privacy controls.
The specification, which already has seen support in products from vendors such as Entrust, Novell, Oblix, RSA Security and Sun Microsystems details how to create a reusable user authentication token for use across websites. Key is support for the Security Assertion Markup Language (SAML), an XML-based standard for exchanging user identity information.
Liberty's efforts are similar to Microsoft's Passport single-sign-on service, which it is trying to adapt for corporate use.
GM has deployed Web Access Management products, which it declined to identify, that support the Liberty specification as part of its MySocrates intranet.
"We see the potential for enormous internal cost savings on things like password management and the help desk," Taggart says.
GM is asking vendors to detail plans for support of the Liberty specification and SAML in any product pitches they make.
"We won't throw out existing products; we want them updated with Liberty and SAML," Taggart says.
Niteo Partners hopes its work can be funneled into development of the Liberty specification. The firm is building a proof-of-concept network with the Financial Services Technology Consortium and a group of banks using Liberty-based authentication services.
"We hope to learn a lot about interoperability around Liberty and SAML, and find out if they provide enough semantic information and trust to allow services to execute," says Michael Versace, Niteo's national director of financial service.
Versace says he hopes to feed those practical implementation lessons into the Liberty development cycle to avoid the pitfalls of other security services efforts, namely public-key infrastructure.