...Federation is perhaps the most important emerging technology in SSO for governments worldwide. It is largely driven, sources say, by the need to make unconnected departments that must nonetheless collaborate, along with their equally divided IT resources, securely accessible via the Web to constituents through a single point of contact. Federation “gives people the ability to establish multienterprise levels of trust,” said David Ting, Imprivata’s chief technology officer.
The main champions of federation are the Liberty Alliance and the Organization for the Advancement of Structured Information Standards (OASIS). They jointly support an Internet language called Secure Access Markup Language (SAML), which was designed to extend single sign-on across organizational boundaries using a federated model. “Federation itself is about the portability of identity,” said Brian Campbell, a software engineer at Ping Identity, which makes federation software, and co-chairman of the OASIS technical committee that worked on SAML. “What SAML seeks to do is allow users to carry identities between Web sites. It encodes, in a sort of XML security token, a message about the user’s identity, based on trust. There is a [digital] certificate involved in most of the profiles.”
Campbell said the trust is established between the organization that issued the original certificate and the receiving organization, not between individual users.
SAML minimizes the need for custom integration each time an application is added to an SSO system or Web portal, said Roger Sullivan, president of the Liberty Alliance Management Board and an Oracle vice president. “When you want to add a new resource, you only need to ensure the inbound and outbound identity assertions are SAML-compliant.” For nearly five years, the Alliance has tested products for conformance to the standard. There are no immediate plans for major upgrades to SAML, now in Version 2.0, he said.
In the federal government, the push to integrate homeland security agencies internally is the biggest driver of interest in federation, Sullivan said. “We actually see the majority of uses as within agencies or between agencies,” Anthony said, adding that most federal customers who use Tivoli Access Manager’s federation feature use it internally.
Federation is the key technology in E-Authentication, an effort by the General Services Administration to test and certify product interoperability, and Sullivan said GSA is working on government extensions to SAML.
The certification program was originally based on SAML 1.0, but Campbell said the agency recently updated it for SAML 2.0.
Still, Gebel and Weiss both said federation technology is somewhat immature and agreed with Fymat that adoption will hinge instead on hammering out policies on how to merge business processes.
Microsoft offers a competing standard, WS-Federation, that is now being considered by an OASIS working group. Campbell said that although it is a longer specification, it was originally based on OASIS technology, uses SAML 2.0 tokens and has “a lot of overlap.” WS-Fed, however, is the basis for a Microsoft federation server that does not fully support SAML, he said, and formation of a working group in no way implies OASIS’ blessing. Still, Microsoft’s participation in the organization’s process is taken as a good sign.
The next major phase of SSO is likely to be extending it to machine-to-machine authentication. “Web services are seemingly on everyone’s agenda,” Gebel said. The Liberty Alliance in October released a standard, the Identity Web Services Framework along with SAML 2.0 that facilitates sensitive, automated financial transactions among Web services.
Read the complete article by David Essex , Special to GCN.