The Security Assertion Markup Language interoperability bake-off and release of an eagerly awaited specification from the Liberty Alliance last month mark historic steps forward for Web services, security and distributed applications.
An XML-based standard, SAML provides a means for applications or security servers to exchange portable identity assertions that authenticate or authorize users.
The Liberty Alliance Version 1.0 specification builds on SAML, enabling identity domains keeping local accounts or profiles for the same user to link those records on an opt-in basis.
Together, SAML and the Liberty specification are great tools to expand your identity management options. A traveler could make car, hotel and airline reservations from a single site while taking advantage of frequent flyer, renter and guest "loyalty accounts" held at multiple companies. A doctor could federate from a hospital IT system to a third-party imaging company's X-ray database with roles-based access control.
As the excitement of SAML/Liberty's debut fades, however, sober reflection must begin. The standards will provide great tools, but companies need to understand how and where to use them. And there's still much work to be done.
First and foremost, additional common-denominator standards, legal or commercial frameworks, and best practices for federated identity will be needed. Today, you can hope to work with partners across peer-to-peer, hub-and-spoke or small circles-of-trust arrangements. But just as it was difficult at first to interconnect regional ATM networks into a global financial system, multiple challenges will limit universal, multiparty use of SAML/Liberty.
Among these challenges are competitive disincentives for sharing data between businesses, practical difficulties with Web security and lack of scalable public-key infrastructure (PKI) trust models.
Early adopters will face familiar and unfamiliar pitfalls, but these will be manageable. Allow some time for growing pains with early products supporting the standards. Federation can't occur in an identity vacuum, so you'll have to continue the sometimes painful process of building authoritative directories in-house. However, federation tools provide a possible solution for linking existing directories. Looking forward, lawyers and business owners must create the privacy policies and trading-partner agreements underpinning trust relationships. But establishing agreements and trusts for SAML/Liberty can be significantly easier than designing a full-blown PKI or other alternatives.
The challenges are many, but they are unlikely to stop the SAML/Liberty train. Federated identity can bring real business benefits. Look for federation opportunities across the Internet, among business units, or even between disparate IT systems. Factor SAML/Liberty into your identity management architecture.
Blum is senior vice president and research director with The Burton Group, an integrated research, consulting and advisory service. He can be reached at firstname.lastname@example.org.