Linux in Government: Understanding Federated Identity Management

Nothing is as powerful as an idea whose time has come--except this one.

Back when Scott McNeally and Steve Ballmer took to a stage and began jumping around like a couple of squares dancers headed out the barn, I couldn't for the life of me figure out what they were so happy about. I guess it just goes to show that they had some secret they thought was gonna make them even richer. They even put a hex on the next hockey season with all their fan-dangling around holding up Detroit Piston jerseys and all.

I didn't understand what was so important. So when Steve stood up and said he was giving Mr. McNeally $700 million to resolve pending antitrust issues and $900 million to resolve patent issues and then smiled, well more than few heads turned that day. In addition, Sun and Microsoft agreed to pay royalties for use of each other's technology, with Microsoft making an up-front payment of $350 million and Sun making payments when Microsoft's technology was incorporated into its server products.

Back then, most of us did not realize that technology was the important issue of that day. Sun had a fairly substantial lead on everyone except IBM in large scale computing environments to manage user identities, authentication and authorization. In fact, Sun's Federated Identity management products ran about even with IBM's Tivoli in every category that mattered. Meanwhile, Microsoft needed a partner to catch IBM.

Another thing comes to mind now that Sun has sworn off the Linux desktop. Microsoft wants into the big metal game, something IBM has refused to permit. With Microsoft paying off IBM for attempting to cut off its "air supply", our friends from Redmond just might wind up on big Sun iron while giving IBM a fat raspberry.

As a result of Sun and Microsoft's agreement, their engineers began to cooperate on identity information. That originally sounded like Linux would get to log on to Active Directory. In fact, it meant that Active Directory and Java System Identity Server would work together. Most people including the press thought Sun's ability to log on to Active Directory looked like the big win. Today, we realize that Microsoft needed Sun, not the other way around.

What's Federated Identity Management (FIM)?

Actually, we should be asking how important is FIM. It's the lynchpin of digital convergence and probably one of the most important technologies of the modern era. Soon, we will begin to swim in digital television, multifunctional phones, devices of all kinds, and at the core of making all these things work together with our computer networks and the Internet lies identity management. At the core of identity management lies federation.

People use FIM to refer to a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. You might see it referred to as single sign-on (SSO).

Partners in a federated identity management (FIM) system depend on one another to authenticate their respective users and vouch for their access and privileges to services. Each partner involved relies on the other for verification. The partners comprise a circle of trust.

For example, a federated system allows a company such as AT&T to build a service where dozens of third-party suppliers come together for one-service offering. I use AT&T's voice over IP service myself. As it turns out, nearly every service on the system comes from a third-party, including billing, activation and management of the VoIP telephone adapter, voice-mail, call filtering, e-mail, caller ID, three-way calling, call forwarding, fax and modem support, call waiting and so on.

Without AT&T's federated identity management system, each service provider would require you to have a separate ID and password. A company will have to trust its partners to vouch for their own users. Each partner must rely on the other partner to say, "This user is okay; let them access this application."

Do Standards Exist?

Standards do exist and that's a problem. It's such a problem that President Bush had to issue a directive called Homeland Security Presidential Directive/Hspd -12. That directive morphed into Federal Information Processing Standard 201 (FIPS 201). According Mary Dixon, deputy director of the Defense Manpower Data Center, quoted in Government Computer News:

A big issue for us is interoperability between vendor cards. We also have to figure out how to make sure everyone we hire goes through the National Agency Check. That is a big challenge for everyone.

Standards allow companies to share applications without needing to adopt the same technologies for directory services, security and authentication. Within a company, directory services have permitted companies to recognize their users through a single identity. Asking other organizations to match technologies or maintain user accounts for their partners' employees creates chaos.

A struggle exists to get everyone on board. We have the following standards making bodies attempting to emerge as the final candidate.


We can begin with the Security Assertions Mark-up Language (SAML). The Organization for the Advancement of Structured Information Standards (OASIS) developed SAML as an XML-based specification. Now in it's second version, SAML initially provided a common language for three kinds of assertions:

  1. Authentication assertions, which are declarations about a user's identity

  2. Attribute assertions containing particular details about a user

  3. Authorization decision assertions, which specify what the user is allowed to do on a particular site

SAML authorities, which are server-based applications, issue assertions. When an entity requests access to a resource, a SAML authority provides a digitally signed token that the entity can use for further requests without needing re-authentication.

Microsoft, IBM and WS-Fed

Microsoft and IBM published a joint white paper outlining a roadmap for a set of Web service security specs. WS-Security originally offered methods for attaching security tokens to messages. These token include tokens for identity.

In my opinion, Microsoft often gets into a standards effort and creates havoc. It seems that monopolizing an area of technology remains the company's underlying purpose for getting involved. Microsoft's WS-Fed did not arise from participation in a standards making body. You would have to consider WS-Fed a homegrown attempt to create a de-facto standard, such as Microsoft's XML file formats for its Office productivity line.

Liberty Alliance

A majority of industry partners initiated the Liberty Alliance. They provide three basic specs:

  1. Liberty Identity Federation Framework (ID-FF). ID-FF allows for a single sign-on, account linkages, anonymity, affiliations and various options for meta-data exchange.

  2. Liberty Identity Web Services Framework (ID-WSF). ID-WSF provides features for permission-based attribute sharing, identity service discovery, interaction service security profiles and identity services templates.

  3. Liberty Identity Services Interfaces Specifications (ID-SIS), ID-SIS provides for buildable interoperable services on ID-WSF. Buildable services could include an address list, contact book, calendar or applications with geo-location data. ID-SIS offers interoperability through the use of agreed upon context-dependent schemas.

These specifications can be used independently as well as in combination. IBM joined the Liberty Alliance, and synergy between SAML and Liberty exists for developing an accepted converged standard.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

globus toolkit for grid computing

Will McCammon's picture

i think that this problem is well-addressed in the globus toolkit. the globus community is planning beyond the "next step" into the future of global grid application security frameworks.

see #globus


Ralph's picture

Sorry for making this two comments. I remembers SXIP right after I submitted the last comment.

The FIM that I want to succeed is SXIP. It has some real advantages to the users. It is open source(a huge advantage for a security product) and very configurable as to what data you release.

For further study

Ralph's picture

It was good to read about this. I had not read anything on FIM for a few months. An issue the author did not discuss in his brief article was the privacy problem. Microsoft's and Sun's solutions in the past have had a bad problem, at least as I see it. They allowed way too much personal information to pass to systems you are authenticating to. One of the things I really like about PING is how much control the user has. I realize most users will probably expose too much of their own information. At least it will be their own fault and not a requirement of the network.

If you want to hear more about FIM, I suggest listening to a few of the audio streams on Digital Identiity at Try looking at:
for a few samples. This is an important topic with a lot of implications. I'd like to see the author tackle the subject at greater length.

additional information

Jay Wack's picture

It might interest you to know that the industry response to HSPD12 is moving very quickly. The standard from NIST, to facilitate interoperability, is published as FIPS 201 (with its attendant sub-documents SP 800 - 73 et al). Further, the market is also aware that MULTOS as a vetted, secure card operating system, is now available in the US, including the Constructive Key Management necessary to afford the confidentiality for multiple applications, under different ownership on a common platform. (see ANSI X9.69 & X9.73).
The vision of a common platform is here. The necessary standards based technologies are here. MULTOS w/ CKM.

It would be nice if your read the article

Anonymous's picture

Your comment is equivalent to spam.

The author discussed FIPS 201 and the problem is cross vendor interoperabilty. It's a problem everywhere.

No, it's moving but as fast as you would like people to believe. And no, you company doesn't have the answer. And no, the vendors aren't compliant with the standards.

Give us a B-R-E-A-K.

What's wrong with a little advertising?

Anonymous's picture

The guy could have said Bluefish Technologies and mobEcom Ltd. instead of sounding like he was promoting a standard or something. I guess. I wouldn't care.


Anonymous's picture

I love how the identity of the anonymous posters is unverified... now that is ironic and what i believe is the source of the entire problem with ID mgmt...... yunverified assertions and the currently flawed trust model (PKI) is the problem... I believe a new trust model, not new technology is going to solve the problem of interoperability... and pave the way for a defacto standard... right now, everyone is using the staff of rah taken from the nazi's burned palm in Raiders of the Lost Ark... they are digging in the wrong place...