Web Services: Where Identity Management Goes From Here

SAML, Liberty, WS-Federation—a number of Web Services standards are competing for security managers’ attention. Here’s how to differentiate between the options.

As organizations increase their use of Web Services, they often hit a barrier: how to keep such transactions secure. As the size of Web Services deployments between businesses, partners, and customers increases, so do potential identity-management problems. What’s needed, then, are full-featured, secure frameworks for federating identity that everyone can agree on.

“Federated identity will only realize its true potential when enterprises large and small are able to deploy the technology easily and in a standard, interoperable, and relatively pain-free way,” notes Ray Wagner, vice president and research director at Gartner Inc.

While that has yet to happen, related efforts are underway by the Liberty Alliance, the Organization for the Advancement of Structured Information Standards’ (OASIS) SAML, and the Microsoft- and IBM-led WS-Federation, to create easy-to-deploy, interoperable, and full-featured Web Services identity management standards. To discuss where things stand, we spoke with Atul Tulshibagwale, CEO of Trustgenix Inc.; the company is helping develop SAML and Liberty Alliance federation standards.

How do organizations assess the different Web Services standards currently available?

There are two aspects to that question: how do you judge the quality of the standard itself, and how do you judge its security?

For the standard itself, it’s important to look at the structure of the company that’s coming up with the standard. So it’s OASIS, or Liberty, or a more loose organization like the Microsoft and IBM WS-Federation. …

Liberty has a very structured approach to [development], and it has a management board staffed by companies which consume technology—not produce technology—such as Vodafone. So it has a structure that encourages and drives standards more by need, rather than by some vendor’s ability to do something. Then on the OASIS front … that’s a group that seems to have done a really good job of coming up with a standard after [a lot of public input]. … In fact, both OASIS and Liberty take this approach. But with the WS-Federation, there’s no constancy on how they arrived at the standard, and it seems to be more of a vendor-driven and closed process.

How can organizations judge the actual security of a Web Services standard?

When Liberty or [OASIS] puts out a draft, it is reviewed by the open Internet community, and everyone is free to comment, including organizations that have a pretty vested interest in the standard, such as Sony. So … there’s a lot of feedback—radio noise on the mailing list, where everyone is chatting about issues, and chatting about attacks people know about—and you end up with a standard … [borne of] the collective expertise of the Internet today.

Why that works is, every organization participating in the effort knows they can use the specification for free—the standard will not have any restrictions because of intellectual property. However, when you get to the WS-Federation standards, it gets to a point where any feedback received becomes the property of [the standard’s creators].

Beyond these two points, then you also get into actual implementations, and how you judge the quality of the implementation.

Do vendors’ implementations of standards vary widely?

What vendors typically try to do is create a really loose standard. … So a vendor claims support for Liberty 1.0 at some point, but it turns out that the only thing they could do was a Liberty log-out, because really they were [just] using SAML. So there needs to be some kind of concrete [statement] about what the actual interoperability capabilities are. Because what a customer wants to know is, does this product work out of the box, or do I need to hire a boatload of consultants to make [it] work? …

You need to have some kind of a certification program so these standards can really be counted on. … So that’s where we’d like to see the standards, and I think that’s critical for bringing order to the identity management space.

Are such certification programs currently available?

What we like most in the market is the certification program for the Liberty Alliance. … Now, some companies have a notable testing piece, … but unfortunately those companies also have products that implement those standards, so it becomes a little bit of an issue.

What’s the issue with companies who both test a standard and sell products implementing it?

There are [several] areas of conflict there … [such as] the company that is hosting that kind of service gets competitive intelligence about products, and … could [also] put the company running that service in a position of power about who can or cannot be certified.

Does having three different Web Services standards muddy the water?

We look at it as the precedence in the networking world. You had all these [competing] approaches—Banyan Vines, Microsoft NetBIOS, Token Rings, Novell Netware. But once Ethernet came along, many of these technologies gave way to more standards-based technologies, like Ethernet and TCP/IP. So I think you’re likely to see more applications for federated identity and then resulting standards.

So in your paradigm, what does Ethernet equal in Web Services identity management terms?

I think that is likely to be SAML 2. … Our bet is that it will be increasingly common to see SAML 2 as the Web Services identity management standard going forward.

What happens when there’s a de facto identity management standard for Web Services?

Once you have that, and the next level [of identity management capabilities], … you can do more complex [projects], using some sort of a Web Services security mechanism, so that organizations can invoke Web Services across domains, using a Web Services standard. And that’s where things get a little interesting. Liberty’s identity management services framework seems to have done a lot of work in that area, and seems the most advanced, compared with the WS-Federation stack in that space—WS-Trust, and similar standards.

Where does the WS-Federation stand, feature-wise?

It’s fairly equivalent, at least to what SAML can do. I think there are maybe a few additional things in Liberty than there are in WS-Federation, but on the whole [they’re similar]. And WS-Federation, because of its clout with IBM and Microsoft, is going to see at least some adoption.

Related Articles:

Q&A: Moving to Web Services Identity Management
http://www.esj.com/Security/article.aspx?EditorialsID=1417

Q&A: The Future of Service-Oriented Architecture Security
http://www.esj.com/Security/article.aspx?EditorialsID=1371

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.