July 2003 ushered in a strong Microsoft offensive on the identity management and Web services standards front. In partnership with IBM and other vendors, Microsoft released WS-Federation specifications for federated sign-on, attribute services and pseudonym services - specifications that partially conflict with standards from the Organisation for the Advancement of Structured Information Standards and Liberty Alliance. In addition, Microsoft and IBM let it be known that they reject Service Provisioning Markup Language, which OASIS produced and most identity management vendors have adopted. What should we make of these hardball manoeuvres?
The good news is that WS-Federation and other Microsoft-inspired Web services specifications (collectively dubbed WS-*) feature what appears to be an open, composable and extensible architecture for Web services. WS-* embraces Security Assertion Markup Language (SAML) messages as tokens, offering an olive branch for convergence. And Microsoft and IBM say they plan reasonable and non-discriminatory licensing for the specifications. From these standpoints, WS-* will help bring Web services and federated identity closer to critical mass.
The bad news is that when it comes to identity management, WS-* is under-specified and only one of its components has been submitted to a standards body. Microsoft and IBM say they need more time to perfect WS-Federation, WS-Trust, WS-Policy and other specifications before submitting them. But I've heard concerns that the vendors are looking for a rubber stamp while delaying submission risks, freezing important OASIS standards work or freezing the market for federated identity.
While SPML schema and protocols are not loosely coupled enough to become the be-all, end-all Web services provisioning standards, they are a strong step forward for interoperable account provisioning. And Liberty Alliance's opt-in account linking has immediate applicability to multiple business-to-consumer and business-to-employee identity-management scenarios in today's mature installed base of browsers, Web servers and portals. Liberty's identity-federation specifications are a good start. The work now beginning at OASIS to combine SAML with Liberty, and enhance both, should go forward to create a powerful and extensible identity-federation architecture for customers.