Linux in Government: Understanding Federated Identity Management
Back when Scott McNeally and Steve Ballmer took to a stage and began jumping around like a couple of squares dancers headed out the barn, I couldn't for the life of me figure out what they were so happy about. I guess it just goes to show that they had some secret they thought was gonna make them even richer. They even put a hex on the next hockey season with all their fan-dangling around holding up Detroit Piston jerseys and all.
I didn't understand what was so important. So when Steve stood up and said he was giving Mr. McNeally $700 million to resolve pending antitrust issues and $900 million to resolve patent issues and then smiled, well more than few heads turned that day. In addition, Sun and Microsoft agreed to pay royalties for use of each other's technology, with Microsoft making an up-front payment of $350 million and Sun making payments when Microsoft's technology was incorporated into its server products.
Back then, most of us did not realize that technology was the important issue of that day. Sun had a fairly substantial lead on everyone except IBM in large scale computing environments to manage user identities, authentication and authorization. In fact, Sun's Federated Identity management products ran about even with IBM's Tivoli in every category that mattered. Meanwhile, Microsoft needed a partner to catch IBM.
Another thing comes to mind now that Sun has sworn off the Linux desktop. Microsoft wants into the big metal game, something IBM has refused to permit. With Microsoft paying off IBM for attempting to cut off its "air supply", our friends from Redmond just might wind up on big Sun iron while giving IBM a fat raspberry.
As a result of Sun and Microsoft's agreement, their engineers began to cooperate on identity information. That originally sounded like Linux would get to log on to Active Directory. In fact, it meant that Active Directory and Java System Identity Server would work together. Most people including the press thought Sun's ability to log on to Active Directory looked like the big win. Today, we realize that Microsoft needed Sun, not the other way around.
Actually, we should be asking how important is FIM. It's the lynchpin of digital convergence and probably one of the most important technologies of the modern era. Soon, we will begin to swim in digital television, multifunctional phones, devices of all kinds, and at the core of making all these things work together with our computer networks and the Internet lies identity management. At the core of identity management lies federation.
People use FIM to refer to a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. You might see it referred to as single sign-on (SSO).
Partners in a federated identity management (FIM) system depend on one another to authenticate their respective users and vouch for their access and privileges to services. Each partner involved relies on the other for verification. The partners comprise a circle of trust.
For example, a federated system allows a company such as AT&T to build a service where dozens of third-party suppliers come together for one-service offering. I use AT&T's voice over IP service myself. As it turns out, nearly every service on the system comes from a third-party, including billing, activation and management of the VoIP telephone adapter, voice-mail, call filtering, e-mail, caller ID, three-way calling, call forwarding, fax and modem support, call waiting and so on.
Without AT&T's federated identity management system, each service provider would require you to have a separate ID and password. A company will have to trust its partners to vouch for their own users. Each partner must rely on the other partner to say, "This user is okay; let them access this application."
Standards do exist and that's a problem. It's such a problem that President Bush had to issue a directive called Homeland Security Presidential Directive/Hspd -12. That directive morphed into Federal Information Processing Standard 201 (FIPS 201). According Mary Dixon, deputy director of the Defense Manpower Data Center, quoted in Government Computer News:
A big issue for us is interoperability between vendor cards. We also have to figure out how to make sure everyone we hire goes through the National Agency Check. That is a big challenge for everyone.
Standards allow companies to share applications without needing to adopt the same technologies for directory services, security and authentication. Within a company, directory services have permitted companies to recognize their users through a single identity. Asking other organizations to match technologies or maintain user accounts for their partners' employees creates chaos.
A struggle exists to get everyone on board. We have the following standards making bodies attempting to emerge as the final candidate.
OASIS and SAML
We can begin with the Security Assertions Mark-up Language (SAML). The Organization for the Advancement of Structured Information Standards (OASIS) developed SAML as an XML-based specification. Now in it's second version, SAML initially provided a common language for three kinds of assertions:
Authentication assertions, which are declarations about a user's identity
Attribute assertions containing particular details about a user
Authorization decision assertions, which specify what the user is allowed to do on a particular site
SAML authorities, which are server-based applications, issue assertions. When an entity requests access to a resource, a SAML authority provides a digitally signed token that the entity can use for further requests without needing re-authentication.
Microsoft, IBM and WS-Fed
Microsoft and IBM published a joint white paper outlining a roadmap for a set of Web service security specs. WS-Security originally offered methods for attaching security tokens to messages. These token include tokens for identity.
In my opinion, Microsoft often gets into a standards effort and creates havoc. It seems that monopolizing an area of technology remains the company's underlying purpose for getting involved. Microsoft's WS-Fed did not arise from participation in a standards making body. You would have to consider WS-Fed a homegrown attempt to create a de-facto standard, such as Microsoft's XML file formats for its Office productivity line.
Liberty Alliance
A majority of industry partners initiated the Liberty Alliance. They provide three basic specs:
Liberty Identity Federation Framework (ID-FF). ID-FF allows for a single sign-on, account linkages, anonymity, affiliations and various options for meta-data exchange.
Liberty Identity Web Services Framework (ID-WSF). ID-WSF provides features for permission-based attribute sharing, identity service discovery, interaction service security profiles and identity services templates.
Liberty Identity Services Interfaces Specifications (ID-SIS), ID-SIS provides for buildable interoperable services on ID-WSF. Buildable services could include an address list, contact book, calendar or applications with geo-location data. ID-SIS offers interoperability through the use of agreed upon context-dependent schemas.
These specifications can be used independently as well as in combination. IBM joined the Liberty Alliance, and synergy between SAML and Liberty exists for developing an accepted converged standard.
While Sun Microsystems and Microsoft began extending their own identity management platforms to include federation and cross-company pollination, the Free/Open-Source crowd entered the game a little late. IBM deploys the leading product, Tivoli on Linux servers, and that's a big plus for the community.
An open-source company called Ping Identity Corporation appears as the best hope for open solutions. PingID, a venture created by André Durand and people from Jabber, originally seemed to run in a stealth mode compared to other technology companies in the federated space. Now, the company has completed a financing round for an original $7.5 million B Series, which became oversubscribed when joined by SAP ventures.
Not forgetting its roots, Ping Identity Corporation sponsors SourceID, which is an open-source federated identity management project. SourceID provides open-source toolkits for SAML, Liberty and WS-Fed. SourceID toolkits focus on ease-of-integration and deployment within existing Web applications, products or services. SourceID provides high-level developer functionality and customization. The project designed Source ID to shield the integrator and enterprise from the typical complexities of federation and the changing federation standards.
Ping Identity Corporation fits the model of an Open Source Maturity Model Company. You should find its Federal Identity Primer, extremely informative. Also, you can download developer use cases in a PDF format from here.
We all might find some difficulty in finalizing our thoughts on federated identity management. Perhaps the momentum behind the standards and the technology could change, and we might wind up with a totally different solution that the ones existing today. Most people in the technology field will say that once people start down a certain road, though, they seem compelled to stay on it. I tend to think that the three standards will merge or learn to co-exist.
At the moment, federated identity management is becoming the next buzz word on the street. Those who do not know about it or understand it might find themselves challenged in their careers. I hope this article gives you a start on the path toward researching it.
Tom Adelstein is a Principal of Hiser + Adelstein, a consulting and operating company specializing in free and open-source software solutions and support. Tom is the co-author of the book Exploring the JDS Linux Desktop, author of an upcoming book on Linux system administration and has written prolifically since 1985. Tom's business career began in public accounting where he first learned to program and develop software and later progressed to Wall Street, where he became the designated principal of a NYSE firm. He later returned to technology and has consulted and worked with start-ups as well leaders of the Fortune 500.