Linux in Government: Understanding Federated Identity Management
Back when Scott McNeally and Steve Ballmer took to a stage and began jumping around like a couple of squares dancers headed out the barn, I couldn't for the life of me figure out what they were so happy about. I guess it just goes to show that they had some secret they thought was gonna make them even richer. They even put a hex on the next hockey season with all their fan-dangling around holding up Detroit Piston jerseys and all.
I didn't understand what was so important. So when Steve stood up and said he was giving Mr. McNeally $700 million to resolve pending antitrust issues and $900 million to resolve patent issues and then smiled, well more than few heads turned that day. In addition, Sun and Microsoft agreed to pay royalties for use of each other's technology, with Microsoft making an up-front payment of $350 million and Sun making payments when Microsoft's technology was incorporated into its server products.
Back then, most of us did not realize that technology was the important issue of that day. Sun had a fairly substantial lead on everyone except IBM in large scale computing environments to manage user identities, authentication and authorization. In fact, Sun's Federated Identity management products ran about even with IBM's Tivoli in every category that mattered. Meanwhile, Microsoft needed a partner to catch IBM.
Another thing comes to mind now that Sun has sworn off the Linux desktop. Microsoft wants into the big metal game, something IBM has refused to permit. With Microsoft paying off IBM for attempting to cut off its "air supply", our friends from Redmond just might wind up on big Sun iron while giving IBM a fat raspberry.
As a result of Sun and Microsoft's agreement, their engineers began to cooperate on identity information. That originally sounded like Linux would get to log on to Active Directory. In fact, it meant that Active Directory and Java System Identity Server would work together. Most people including the press thought Sun's ability to log on to Active Directory looked like the big win. Today, we realize that Microsoft needed Sun, not the other way around.
Actually, we should be asking how important is FIM. It's the lynchpin of digital convergence and probably one of the most important technologies of the modern era. Soon, we will begin to swim in digital television, multifunctional phones, devices of all kinds, and at the core of making all these things work together with our computer networks and the Internet lies identity management. At the core of identity management lies federation.
People use FIM to refer to a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. You might see it referred to as single sign-on (SSO).
Partners in a federated identity management (FIM) system depend on one another to authenticate their respective users and vouch for their access and privileges to services. Each partner involved relies on the other for verification. The partners comprise a circle of trust.
For example, a federated system allows a company such as AT&T to build a service where dozens of third-party suppliers come together for one-service offering. I use AT&T's voice over IP service myself. As it turns out, nearly every service on the system comes from a third-party, including billing, activation and management of the VoIP telephone adapter, voice-mail, call filtering, e-mail, caller ID, three-way calling, call forwarding, fax and modem support, call waiting and so on.
Without AT&T's federated identity management system, each service provider would require you to have a separate ID and password. A company will have to trust its partners to vouch for their own users. Each partner must rely on the other partner to say, "This user is okay; let them access this application."
Standards do exist and that's a problem. It's such a problem that President Bush had to issue a directive called Homeland Security Presidential Directive/Hspd -12. That directive morphed into Federal Information Processing Standard 201 (FIPS 201). According Mary Dixon, deputy director of the Defense Manpower Data Center, quoted in Government Computer News:
A big issue for us is interoperability between vendor cards. We also have to figure out how to make sure everyone we hire goes through the National Agency Check. That is a big challenge for everyone.
Standards allow companies to share applications without needing to adopt the same technologies for directory services, security and authentication. Within a company, directory services have permitted companies to recognize their users through a single identity. Asking other organizations to match technologies or maintain user accounts for their partners' employees creates chaos.
A struggle exists to get everyone on board. We have the following standards making bodies attempting to emerge as the final candidate.
OASIS and SAML
We can begin with the Security Assertions Mark-up Language (SAML). The Organization for the Advancement of Structured Information Standards (OASIS) developed SAML as an XML-based specification. Now in it's second version, SAML initially provided a common language for three kinds of assertions:
Authentication assertions, which are declarations about a user's identity
Attribute assertions containing particular details about a user
Authorization decision assertions, which specify what the user is allowed to do on a particular site
SAML authorities, which are server-based applications, issue assertions. When an entity requests access to a resource, a SAML authority provides a digitally signed token that the entity can use for further requests without needing re-authentication.
Microsoft, IBM and WS-Fed
Microsoft and IBM published a joint white paper outlining a roadmap for a set of Web service security specs. WS-Security originally offered methods for attaching security tokens to messages. These token include tokens for identity.
In my opinion, Microsoft often gets into a standards effort and creates havoc. It seems that monopolizing an area of technology remains the company's underlying purpose for getting involved. Microsoft's WS-Fed did not arise from participation in a standards making body. You would have to consider WS-Fed a homegrown attempt to create a de-facto standard, such as Microsoft's XML file formats for its Office productivity line.
A majority of industry partners initiated the Liberty Alliance. They provide three basic specs:
Liberty Identity Federation Framework (ID-FF). ID-FF allows for a single sign-on, account linkages, anonymity, affiliations and various options for meta-data exchange.
Liberty Identity Web Services Framework (ID-WSF). ID-WSF provides features for permission-based attribute sharing, identity service discovery, interaction service security profiles and identity services templates.
Liberty Identity Services Interfaces Specifications (ID-SIS), ID-SIS provides for buildable interoperable services on ID-WSF. Buildable services could include an address list, contact book, calendar or applications with geo-location data. ID-SIS offers interoperability through the use of agreed upon context-dependent schemas.
These specifications can be used independently as well as in combination. IBM joined the Liberty Alliance, and synergy between SAML and Liberty exists for developing an accepted converged standard.
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane