A Standard for Single Sign-On Moves Forward

Although a lack of interoperability has threatened to hold Web services adoption back, Liberty Alliance, a group dedicated to forging an open identity standard, cracked that barrier by certifying nine single sign-in products in late June.

The group awarded Ericsson, Hewlett-Packard, IBM, Netegrity, Novell, Oracle, Ping Identity, Sun, and Trustgenix its “Liberty Alliance Interoperable” mark in a conformance test.

The certification, which covers Liberty Alliance Identity Federation Framework (ID-FF) version 1.1 and 1.2 for single sign-on services, involves a rigorous testing process that gauges identity federation, authentication, session management and privacy protection. Vendors must demonstrate interoperability with two other randomly selected participants.

Secure single sign-on services are a key ingredient for Web services , a high-flying concept for distributed computing that allows applications to talk to one another to perform tasks. But customers are afraid to “sign-on” without a secure brand, because crackers can swipe their personal information if the site is not safeguarded properly.

According to a Liberty statement, the products are interoperable out-of-the-box, which pares deployment schedules and saves costs. This is key, as customers are loathe to license technology if it isn’t supported by a validated standard, according to Gartner analyst Ray Wagner.

Customers who are thinking about federation projects need some reassurance that there won’t be a huge amount of manual integration necessary between partners with different infrastructures,” Wagner told internetnews.com. “Requiring compliance with Liberty, SAML, WS-Federation, and WS-I Basic Security Profile, or a subset of the above, will provide some assurance that systems have the capability to work together.”

Wagner said he believes most vendors who make identity management products will provide compatibility with specs or standards in the short term, noting that Federation protocols in particular (SAML, Liberty, WS-Federation) will likely converge in the medium term.

With Liberty’s certification, companies can say that their products are compliant with the Liberty identity standard, making their identity management software more appealing to customers looking to shore up their Web services platforms with authentication via single sign-on services.

Forrester analyst Randy Heffner said using Identity Web Services Framework (ID-WSF) requires Liberty’s ID-FF and offers an interoperable path to Web services as long as users start with Liberty’s ID-FF.

“There is a test suite to ensure broad testing coverage of the technical interfaces,” Heffner told internetnews.com. “But successful operation of the tests is sort of on the honor system — except that a vendor who wants the Liberty logo must participate in an interoperability event and successfully connect with a couple of other randomly chosen products.”

“This is better than a simple, pre-planned interoperability event, which only proves that there is ‘at least one’ configuration by which products can work together — but not that this is the configuration that any given user might need,” Heffner concluded.

Web services have been slow to take off over the last few years, due to obstacles such as interoperability, security and manageability. But this is changing, owing in part to the steady work companies have been putting into the matter and the increasing acceptance of the more broad service-oriented architecture approach to software services.

The following products are now Liberty compliant: the Ericsson Session & Identity Server 1; HP OpenView Select Access 6; IBM Tivoli Access Manager software family; Netegrity SiteMinder Federation Solution Module 6; Oracle Identity Management 10g; Ping Identity SourceID Liberty 2.1; Sun Java System Access Manager; and Trustgenix IdentityBridge 2.1.

Meanwhile, Novell is developing a Web authentication/authorization product that enables the secure federation of identity data through both the Liberty Alliance specifications and the SAML protocol. It is scheduled to ship in the first half of 2005.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.