Liberty Alliance shows single sign-on technical spec

The Liberty Alliance Project Monday revealed its long-awaited technical specifications to help companies set up systems that will let users sign on just once to gain access to a host of password-protected Web sites and services.

But the mere fact that the 40-member-plus consortium, led by Sun Microsystems Inc. and United Air Lines Inc., has finally produced something tangible may impress some industry observers more than the details about the technical specifications it backs, such as the Security Assertion Markup Language (SAML).

"A lot of people had been skeptical, and they didn't really understand what this Liberty Alliance was about," said David Smith, an analyst at Gartner Inc. in Stamford, Conn.

Founded last September (see story), the Liberty Alliance Project promised to create technical specifications that would permit single sign-on and decentralized authentication based on openly available technologies. The initiative created an alternative to Microsoft Corp.'s Passport system, which authenticates only users who access sites that support Passport.

Both the Liberty Alliance and Microsoft have taken great pains to stress that they don't compete. Bill Smith, Sun's representative to the Liberty Alliance, said last week, "We'd hope that Microsoft or anyone with an interest in identity management would join in the work we're doing."

Meanwhile, Adam Sohn, a product manager at Microsoft, said his company could join the alliance, work informally with the group on interoperability standards or simply work to make sure its Passport system can share information with sites that support the Liberty specifications.

That sort of rhetoric has been going on for months with little movement, but Microsoft now has a real specification to review. "We'll take a look at the spec and figure out what the next steps are," Sohn said.

The Liberty specification is based on SAML, an XML-based security standard for exchanging authentication and authorization information, but it will also define extensions to SAML, according to James Kobielus, an analyst at Midvale, Utah-based Burton Group.

Kobielus said the Liberty specs use the basic formats and protocols of SAML and add extensions to support account linking, or "identity federation." "Opaque identifiers" traverse the Internet, serving as anonymous IDs to permit users to access other sites, but they don't contain personal account information, he said.

For instance, a user might book a flight on one site and be linked to other sites for car and hotel reservations, but all of his unique account information would be managed separately by the airline, rental car and hotel companies, Kobielus said.

"Liberty makes it difficult to aggregate personal data across linked accounts," Kobielus said. But users can opt to link their accounts, he added.

Phase 1 of the Liberty specification deals strictly with authentication sharing, according to Sun's Smith. Phase 2 is already under discussion, but no details are available.

How well the Phase 1 spec works in practice remains to be seen. Sun, Novell Inc. and other companies today are expected to pledge to support the Liberty specifications in their respective products.

Also today, about a dozen companies, including Novell, Sun and IBM's Tivoli division, are scheduled to demonstrate SAML-enabled products at a hospitality suite sponsored by the nonprofit Organization for the Advancement of Structured Information Standards.

Gartner's Smith said corporate IT departments will probably want to make their existing systems work in the Liberty environment rather than throw out what they have and buy new products. But that could mean custom coding for their developers, he said.

Join the newsletter!

Error: Please check your email address.

More about Burton GroupGartnerIBM AustraliaJames KobielusLiberty AllianceMicrosoftNovellOrganization for the Advancement of Structured Information StandardsTivoli

Show Comments

Market Place