The Push for Federated Identity Management
The growth in Web Services and service-oriented architectures enables businesses to more quickly and automatically trade information and computing resources. Now it’s up to federated identity management to secure it.
Web services and service-oriented architectures are allowing businesses to more quickly and efficiently trade information and computing resources with business partners. “You’re finding more and more companies are trying to extend their infrastructure outside of their specific firewall,” notes Bill Bartow, senior vice president of identity and access management products at Computer Associates (CA).
As companies increase the size and reach of their Web services implementations, however, they face a road block: keeping it all secure. Part of the problem relates to whichever security specifications or protocols a particular company has adopted. “An individual customer could be working with two different protocols at once, between business partners,” says Joe Antony, director of identity management for IBM Tivoli. Some companies also already juggle multiple protocols internally.
Yet extending a Web Services infrastructure—whether between business units in one company or between business partners—requires making essential security information available, regardless of protocols used.
To do that, companies can now adopt federated identity management. “Federated identity just starts with authenticating the authorization information. That’s what identity federation is defined as,” says Atul Tulshibagwale, director of identity federation for HP’s OpenView. With that handled, “then you can have other services, including secure Web services.”
Federated identity management allows companies to create large Web services implementations that scale securely. As a result, “federated identity is an area of growing interest to organizations with integrated business models, and a requirement to enable secure access to data and resources for distributed users and trading partners,” notes Stacey Quandt, the research director of security solutions and services for Boston-based AberdeenGroup.
The Push for Federated Identity
Federated identity adoption is already underway, and “while financial services—always an early adopter of technology—is leading the deployment of federated identity, it is also on the roadmap of many organizations,” notes Quandt. For example, “companies such as AOL, Fidelity, and Orange have deployed federated identity solutions.”
Despite such high-profile rollouts, however, federated identity remains the domain of larger enterprises. As Quandt notes, “the small to medium-size business segment is still grappling with identity management”—never mind federating it.
Furthermore federated identity management technology is nascent, and indeed still first-generation, says Bartow. “Anyone who’s tried to program a system for provisioning to more than four or five target endpoints knows it’s harder than it should be,” though he expects that to change within a couple of years.
Really, though, few users are at that stage, says Tulshibagwale. “Right now, I think people are just starting to feel comfortable federating authentication on a large scale, and the rollouts are starting to get larger.” As they get comfortable, however, projects will move beyond just the authentication component. “The next phase is, you exchange attributes, of the users, on a large scale. For example, you can fetch the attributes for users as they come onto your Web site,” he says. “Then beyond that, business-to-business and service-oriented architectures would be a definite possibility, where somehow the user information is coordinated with a user session.”
Navigating Web Services Standards
Federated identity management relies on Web services security standards, and according to Quandt, “the most important standards today are SAML and WS-Security.” She’s referring, respectively, to Security Assertion Markup Language (SAML) from the Organization for the Advancement of Structured Information Standards (OASIS), and WS-Security, from the WS-Federation, which is led by Microsoft and IBM.
The two standards are slightly redundant. “WS-Security and SAML solve the same problem in different ways, just as J2EE and .NET are different approaches to Web services,” she says. Even so, when companies evaluate Web services products, she recommends selecting one that thoroughly implements and works with multiple standards, since “the ability to support multiple protocols lowers the barrier to achieving the benefits of federated identity.” In other words, more standards interoperability means easier connectivity with business partners, and faster and more effective federated identity management rollouts.
Notably absent from Quandt’s round-up of important standards is the Liberty Alliance specification. That, she says, is because “much of Liberty has been consolidated into SAML.” Such consolidation is good for users, she says, since one challenge—for any given technology or user base—“is that too many standards can slow adoption.”
The Federated Identity Market
For selecting federated identity management technology, Quandt says the leading vendors (in alphabetical order) are BMC, CA, HP, IBM, Novell, Oracle, Passlogix, and Ping Identity. The market has recently seen intense consolidation, as many players strive to create identity management suites with common interfaces and management consoles.
Identity management suites, however, are not the only game in town. In particular, “Passlogix offers federated single sign-on and has announced partnerships with IBM, Gemplus, and others. For example, IBM will add support for Passlogix’s single-password access to Tivoli Access Manager for Enterprise Single Sign-On,” says Quandt. “Also, due a number of acquisitions in the past 12 months, Ping Identity stands out as a point solution provider.”
Companies, then, can choose between point products—some standalone, some in suites—as well as suites in general. Note, however, that many identity management suites are also still works in progress, and “some vendors are further along than others,” she says. In addition, “there is a difference and a distinction between integrating an identity management solution, and integrating this capability into a systems management or middleware stack.”
Typically, a vendor will take either one or the other of those approaches to identity management. As a result, “big shops must choose: Is identity management part of application security or systems management?” writes Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester Research, in a recent report on user provisioning. He breaks the overall identity management space into either the systems management approach (which includes products from such vendors as BMC, CA, HP, and IBM) or the more application-platform approach, which includes products from Microsoft, Novell, Oracle, and Sun.
After organizations decide which identity management approach they’re taking, Penn recommends they don’t just consider point product capabilities, given the rampant market consolidation. “For organizations with complex needs, provisioning is becoming a platform decision, more often than not,” he says. Hence, decisions made today influence the identity management capabilities organizations may have in the future—beyond just federated identity.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.