Computerworld

Federating identity for the Web

User-centric innovations CardSpace and OpenID may finally bring the promise of federation within reach

Federated identity has long been a goal of many IT organizations. One look at the promise of federation, and it is easy to see why. After all, empowering one organization to serve as an identity provider for another frees IT from having to manage the identities of partnering organizations' employees and customers, thereby facilitating the pursuit of competitive-advantage projects. In this era of increasing enterprise decentralization, thanks in large part to the Web, establishing a federated identity framework is fast proving as essential as it is hard to pull off.

What has held federation back is not a technical matter; after all, standards are well-defined, and interoperable tools are available from multiple vendors. Instead, the chief obstacles to federation have been the legal and governance issues that surround federated identity.

Suppose your company federates identities with a 401k provider. Which organization is liable in the event of fraud connected with the federation? Hammering out agreements regarding such questions can keep attorneys occupied for weeks. Privacy concerns on the part of users remain another sticking point. What's more, in many places -- such as your company Web site -- federation just isn't possible using traditional methods.

Enter "user-centric identity," a new approach to federation that has gained momentum as of late.

The key to this burgeoning revolution in identity is the fact that the technology places employees, clients, partners, and customers in the driver's seat when it comes to relaying their identity. In fact, the technologies are designed in such a way that sharing data requires user consent.

Implemented prudently and with purpose, user-centric identity may provide hope for those organizations seeking to capitalize on federation, as the technologies can free them from having to hammer out identity agreements, thereby cutting through the Gordian knot of governance while opening enterprise outlets to the promise of federated identity where traditional modes of federation just can't be applied.

Two technologies in particular have emerged to catch the attention of organizations looking to accelerate their federation efforts: CardSpace, a standard developed by Microsoft to provide a comprehensive solution to user-centric identity problems; and OpenID, a lightweight standard that's the result of the work of multiple companies to create identities based on URLs.

User-centric identity comes of age

For many, the thought of employing a fledgling technology as part of an identity initiative is tantamount to writing a resignation. Yet proponents, such as Sxip Identity CEO Dick Hardt, believe the groundswell of vendor support will soon make user-centric federation a viable enterprise play.

"I'd give the industry an A," Hardt says. "Unlike previous identity technologies, almost every major vendor is participating in user-centric technology in some way."

As with any technology, user-centric federation faces an uphill battle in terms of gaining widespread enterprise support. More than a matter of industry consolidation and standards development, a technology's enterprise hope hinges on thorough interoperability testing, trustworthy libraries and tools, and most importantly, products that bring the technology's promise to life.

CardSpace and OpenID have certainly come a long way during the past few years. Yet important steps must be completed before organizations can put them to widespread use. Despite well-baked standards, CardSpace comes up short on functionality such as mobile credentials. More glaringly, OpenID has serious holes that proposed standards aim to fix, but there has been little traction in getting those standards approved.

That is not to say vendors are at a standstill. In fact, interoperability testing is a bright point for both technologies, with interop events taking place multiple times per year to the tune of deep participation from players large and small. Moreover, tools and libraries abound. For enterprises, however, adoption often depends on product selection. Thus, with only a handful of solutions available with CardSpace or OpenID baked in, deployment has been slow.

"There aren't a lot of pieces you can buy off the shelf. We've done well on [tools for the] identity selector, but tools for identity providers and relying parties are still lagging," Hardt says.

Page Break

Motivating change

Technology, of course, is one thing, but buy-in depends largely on winning over top-line minds. Here is where the particular intricacies of identity play a heavy hand in the fate of user-centric federation in the enterprise.

"Identity is a difficult challenge when you consider that a large organization has so many different kinds of relationships -- employees, contractors, partners, and customers -- all spread across regions and geographies," says Mike Neuenschwander, vice president and research director at Burton Group. "On top of this is the problem of policy -- expressing what the organization requires or expects in each situation."

To date, much of the motivation behind identity deployments has centered on the bottom line. "Reduced help-desk costs and increased security are driving consciousness around ID in the enterprise," says Andre Durand, CEO of Ping Identity (Full disclosure: I am on Ping Identity's advisory board).

But as organizations gain experience with user-centric identity, primary considerations such as reducing customer friction and building brand become important.

To date, much of the federation work has been done in the b-to-b realm, where strong ROI arguments can be made for federating with partners. But in the b-to-c space user-centric identity systems really shine, since enforcing any kind of technology in a b-to-c environment significantly increases the friction of the transaction. Having an identity system that customers are comfortable using is a big win. What's more, with users in control of their identity credentials, user-centric identity can save you the hassle of password reset and account management in many cases.

As said before, the big problem facing any federated identity deployment -- b-to-b or b-to-c -- is the time it takes to set up connections with the myriad organizations involved. User-centric solutions provide a quick and easy way to knock these connections out and scale as you go.

"If you have to hit a lab with one of these things, you've set an upper bound on how many you can do," Burton Group's Neuenschwander says, noting that traditional modes of federation necessitate copious lab testing time before rollout.

Moreover, in numerous scenarios a full-blown federated deployment would be overkill; here, user-centric systems are proving more than worthwhile. For example, you may want to set up partner relationships that have lower-value and, hence, reduced authentication requirements. User-centric technologies can provide a low-cost, low-overhead solution. What's more, they provide sought-after flexibility, allowing the identity system to grow as the business relationship evolves.

In fact, one of the goals of the user-centric technology is to provide an identity metasystem that functions independently of individual applications.

"We need to be able to escalate from low-value to high-value authentication decisions without having to rip out one piece of software and install another," says Kim Cameron, chief identity architect at Microsoft, and author of the Seven Laws of Identity, a primer for user-centric identity technologies. "Different roles in an application can have authentication regimes of differing strengths and yet retain a consistent user experience."

Thus, one of the interesting, early uses of user-centric tools is to provide UI elements to existing federations. "These technologies can provide an easier user interface for partner federations that already exist," Neuenschwander says.

Privacy and security

Perhaps against the grain of suspicion, user-centric technologies hold promise in providing increased privacy and security, simply because of how they are built. CardSpace, for example, enables selective disclosure of user attributes, making it possible to avoid revealing personal details irrelevant to a given transaction. OpenID does not yet offer user-attribute functionality.

Any system that allows users to present a single set of credentials to multiple Web sites, however, runs the risk of user activity on those sites being correlated in some way. With OpenID, for example, the identity provider knows every Web site you show your credentials to. As with other Web technologies, convenience can come at the cost of privacy.

Page Break

As for providing security assurance, CardSpace is built on standards such as WS-Trust, Secure Token Service, and WS-Security. As a result, CardSpace benefits from the public security reviews of these standards. And because both CardSpace and OpenID are open architectures, thorough security reviews of each are possible.

The biggest threat to individuals is the so-called "social engineering" that any identity system allows. Of these, phishing poses the biggest threat at present, and OpenID, like any Web-based authentication scheme, is especially vulnerable. CardSpace's identity selector was invented specifically to foil phishing and related attacks. Moreover, CardSpace's rigid insistence on a consistent user experience reduces the diverse authentication contexts users face when tapping Web-based authentication technologies, thereby increasing the likelihood that they will recognize something out of the ordinary when asked for credentials.

Crossing the identity chasm

User-centric technologies have already demonstrated that they can solve many of identity's most difficult problems. Yet user-centric identity currently stands overlooking Geoffrey Moore's product adoption chasm, having won over enthusiasts and visionaries, but awaiting widespread adoption from the more pragmatic early majority on the other side. To cross that chasm, user-centric technologies will have to pass several milestones in the next 12 to 24 months.

First, user-centric identity will need to be incorporated into more of the products enterprise users buy. "The challenge is that the pieces aren't there for organizations to deploy," Sxip's Hardt says. "If CA ships it with SiteMinder, then it's a configuration decision. When Microsoft ships ActiveDirectory with CardSpace built in, issuing managed cards will be easy."

Burton Group's Neuenschwander agrees. "On their own, they're not likely to be deployed. Enterprises will deploy OpenID and CardSpace through a federation or ESSO [enterprise single sign-on] product. That will be a safer and more functional way for enterprises to acquire and deploy these technologies," he says.

As for the likelihood of either technology gaining widespread vendor acceptance over the short term, Neuenschwander adds, "Most of the federation vendors are going to support interaction with CardSpace. For one thing, it will get them single sign-on capabilities with Microsoft environments like SharePoint and Exchange. That's all rolling out over the next year."

A related component is the identity selector itself. Microsoft has included it in Vista, but getting the identity selector anywhere else requires downloading and installing it. Incorporating identity selectors into the OS without a separate download will increase penetration and will eliminate one side of the chicken-and-egg problem that enterprises face with CardSpace in b-to-c scenarios.

On the standards front, OpenID 2.0, with standards for user-attribute exchange, is an important milestone. For CardSpace, watch for the ability to synchronize claims among multiple machines, including mobile claims functionality.

Early adopters

Although there's still much to be done before most organizations will embrace these technologies wholeheartedly, some deployments are already under way.

Product managers are one group likely to embrace user-centric identity early because they are being driven to understand and serve customers in innovative ways. Two examples: AOL and France Telecom have both deployed OpenID. "As b-to-c, consumer-facing companies, AOL and France Telecom will view user-centric identity as a competitive advantage," says Ping Identity's Durand.

The governments of British Columbia and Singapore have announced plans to roll out identity cards based on CardSpace for citizens. Federation does not scale for many government uses because in most cases governments can't dictate architecture the way powerful business partners can. That said, governments has long served as a foundational role for identity in society, and these early steps may in fact help businesses see the benefits of user-centric identity systems, especially as they expand the technology's user base.

Page Break

Distributed organizations, such as universities, will also be early adopters because of their need to allow developers outside the traditional IT trust circle to authenticate users and retrieve attributes appropriately. In fact, authentication systems built for use in higher education, such as CAP (Common Authentication Project), are already being retrofitted with OpenID and CardSpace.

Many Web sites have already adopted these technologies, and this adoption is not limited to blog comments, rather it extends to authentication services for consumer-facing services. The key benefits are fast proving to be easier account management and the ability to avoid inventing yet another authentication scheme.

Near-term planning

During the next year, expect to see products from federation vendors that begin to capitalize on user-centric technologies. When they do, there will undoubtedly be projects in your organization that would benefit from putting the user in the middle of the transaction.

In the meantime, it's not too early to start exploring. You can use both OpenID and CardSpace now on a variety of sites on the Web. If you really want to get your hands dirty, good libraries and toolkits are available for CardSpace and OpenID. Identify a pilot project where user-centric identity would solve a sticky problem and dive in.

Understanding OpenID and CardSpace

User-centric identity, which puts users at the center of identity transactions, is fast capturing the attention of the Web-minded world. In fact, many traditional organizations are looking to blend user-centric technologies with traditional identity solutions in pursuit of federation.

Here's how user-centric identity works. Each transaction involves three actors: the user, the IdP (identity provider), and the RP (relying party). When the user needs to transact business with the RP, the RP asks for an identity credential. The user selects which credential to use and informs the credential-issuing IdP of the pending transaction. The IdP then sends a trustworthy message to the RP that the user is entitled to the credential he or she has selected.

Two technologies are at the forefront of this movement: CardSpace and OpenID. The two systems differ in their approach to the above steps, yet they share one critical aspect: Both carve out a central role for users in identity transactions and require the users to be actively involved whenever credentials are exchanged.

CardSpace

Developed and promoted by Microsoft, CardSpace differs from Microsoft's earlier identity efforts in that it is not a centralized identity product but is rather a protocol for building distributed identity systems. Microsoft offers products that implement CardSpace-compatible identity providers and relying parties, but so do other vendors.

CardSpace is a token-based system, meaning that the credentials are cryptographic messages that the IdP creates and the RP can verify. These tokens are created on the fly by the IdP at the request of the user and include a subset of the attributes contained in the parent credential.

The central feature of CardSpace is the identity selector. Just like your wallet, the selector allows you to pick the credential you would like to send to an RP. The CardSpace protocol limits the available credentials to those that meet the RP's requirements. For example, if the RP wants payment, nonpayment cards would be excluded and your selector would show only the credit cards you have stored.

The selector allows for two kinds of cards: self-issued and managed. Self-issued cards are useful for activities such as authenticating into a blog commenting system and similar low-risk transactions. Managed cards might include a credit card from your bank, an ID from your employer, or even an online version of your driver's license from your state government.

Page Break

A CardSpace identity selector is included in Vista and can be downloaded for XP as part of the .Net Framework 3.0. Card selectors for the Mac and Linux are available from Novell as part of its Bandit project. You can try them out by logging in to Microsoft Chief Identity Architect Kim Cameron's blog.

OpenID

An open standard, OpenID is the fruit of several folks' labor during the past several years. Originally developed by Brad Fitzpatrick as an identity system for LiveJournal, OpenID is now developed under the auspices of the OpenID Foundation.

OpenID identifiers are URLs. Any URL can be used as an OpenID. Rather than relying on tokens, OpenID is a relationship-based identity system. As a result, when I give a relying party my OpenID URL, the IdP asserts to the RP that I have provided sufficient evidence of a relationship with the IdP. What the evidence is and the nature of the relationship are undefined in the OpenID specification. Usually the evidence is a password authentication, but it may be based on a secure, physical token or a record that I had signed up for an account in the past.

This simplicity is OpenID's strength and chief weakness. On the one hand, it makes OpenID incredibly lightweight and easy to deploy. On the other hand, RPs know almost nothing about the user except that the IdP and the user share a secret. Unless the IdP is trusted by the RP, it is difficult to use an OpenID for anything more than authorizing blog commenters.

OpenID is the subject of significant ongoing activity. It has a robust discovery mechanism based on XRDS (eXtensible Resource DescriptorS) and an attribute exchange mechanism contributed by Sxip Identity. These and other improvements are documented in the yet-unratified OpenID 2.0 specification.

OpenID is most at home on the Web when deployed on sites that allow users to self-provision accounts. By using OpenID, these sites free themselves from the burden of managing the authentication phase of the interaction with the user and the hassles that come with this, such as password reset.

There are an estimated 160 million OpenID-enabled URLs and nearly 10,000 sites that support OpenID log-ins. No special software is needed to use one. In fact, if you have an AOL account or screen name, you're part of that 160 million because AOL has OpenID-enabled their identifiers. If your AOL screen name is "froam2," then your AOL OpenID is http://openid.aol.com/froam2. You can use it to log in to any of the sites in the OpenID Directory.

Additional resources

Seven Laws of Identity CardSpace libraries and samples Using CardSpace on a blog .Net Framework 3.0 selector for XP OpenID Directory OpenID providers OpenID libraries