Give Me Liberty

While Microsoft has tried something similar to this built on its Passport product, called My Services (and formerly known as Hailstorm), the company met a great deal of reluctance on the part of developers and users alike. Microsoft quietly shelved My Services in April due to a lack of support.

Liberty technologies, which were shown by over a dozen vendors including Novell, Sun, RSA Technologies and others at the Burton Group Catalyst Conference this week in San Francisco, are the beginning of what is called "federated" identities, or identities of groups of heretofore independent Web sites and networks that agree to share common information. In this care, the common information was limited to user name and password.

Liberty Alliance likes to refer to itself as "technically agnostic" and uses open standards interfaces instead of software, namely, the Security Assertion Markup Language, or SAML. SAML is an XML-based standard method of user authentication and authorization developed by the Organization for the Advancement of Structured Information Standards (OASIS).

To support Liberty, a site need only adopt authentication software that uses SAML, which passes XML documents back and forth that contain the identity and commands, like login or logout. Simplicity is the key here.

"Complexity is the enemy of security," says Brian O'Higgins, vice president and CTO for Entrust. "We're using well-known security with XML technology for dealing with identity."

That security is the Secure Sockets Layer (SSL) 3.0, which is used to securely transmit the XML files back and forth between the sites. Additionally, RSA Data Security will announce its product support for Liberty this fall.

The first version of the Liberty Alliance specification is somewhat basic. A user can sign into one site at an "identity provider," which would be the ISP in the case of the consumer or their corporate systems in the case of the business user, and their identity is forwarded to other sites supporting Liberty Alliance protocols. A future version of the specification will allow for sharing more comprehensive authentication information.

Once logged into an identity provider, users then log into other sites, such as an e-commerce site or a corporate intranet, and then can choose to "federate" their identity if the destination site is also supporting Liberty. From that point forward, a relationship exists between the two sites, so when the user comes back to that site from their identity provider, they don't need to enter a username and password any more, it's automatically entered for them.

As they move from one site to another, so long as they have already agreed to federate their identity, the user is spared the annoyance of having to remember their login and password. Liberty has what it calls a "circle of trust," where an identity provider has established a relationship with destination sites and already trusts that site for information exchanges.

"Today, the situation we have to use our identity is you have to take your identification out of your wallet at every site you visit," says Jonathan Schwartz, executive vice president of software for Sun. "That's like asking travelers on the autobahn to stop and pay a toll every mile. This is about taking away those tolls and letting people move freely."

Liberty Alliance also provides a mechanism for users to log out, so if they have signed onto several sites during their surfing, with one click they are logged out of every site at once. They also have the option of breaking their federation with a site if they so choose.

Sun Microsystems formed the Liberty Alliance last September and work began on the specification in January of this year. Sun was joined by AOL, American Airlines, Bank of America, eBay, Fidelity Investments, Hewlett-Packard, Nokia, Software Information Industry Association, Sprint, United Airlines, Visa International and Xerox.

Microsoft has not committed to supporting the Liberty Alliance specification, but it doesn't have to. OpenNetwork announced plans to link Passport user information with SAML-based sites through its DirectorySmart LDAP directory.

Also announcing its product support for Liberty Alliance was Novell, which says eDirectory and iChain would both support SAML by the end of the year. A site with iChain as its front-end security system will allow for Liberty support without requiring any modifications to back-end systems, the company says.

OneName says it would support Liberty specifications in its OneName Identity Server, which will ship in the third quarter, Entrust says it will support Liberty in Entrust GetAccess, the entitlements component of its Secure Web Portal and Sun plans to support Liberty in its Sun ONE products.