Five Things You Should Know About Internet Identity

By Richard Karpinski

Think of this as the week that Internet Identity moved from conception to reality. To be sure, many of the pieces necessary to help companies manage user identities—and to begin to wrestle with how to make use of customer and trading partner profiles—have been around for some time. Enterprise directories, access management, and control systems and authentication/digital signatures have been around for years.

But this week saw some real progress in next-generation identity management. Vendors demonstrated interoperability using Security Assertion Markup Language (SAML), which will allow different systems to exchange standards-based identity tokens that will enable single sign-on to become a reality. The Liberty Alliance launched the first version of its specifications, which define how companies can deliver federated identity management capabilities. A slew of vendors—including Oblix, Netegrity, OpenNetwork, Sun, Novell, Waveset and others—detailed plans to support these emerging standards. And even Microsoft made some news, showing up at the Liberty announcement and floating a detente balloon by agreeing to support SAML across its identity and Web services security plans.

So let's boil things down. What do enterprises need to know? Here's our list of the top five things we think we've culled from this week's events:

1. The Three Layers Of Identity: Enterprise, B-To-B, And Public

2. Don't Wait For The Standards: Getting Started Now In Managing Identities

3. SAML, XACML, WS-S And More: Navigating The Alphabet Standards Soup

4. Kissing Cousins: The Intersection Of Identity And Web Services

5. FUD Watch: Schisms, Road Blocks, And Other Potential Curves

Also, be sure to follow the coverage of the Burton Group Catalyst conference, where much of this week's news was made, from frequent Internetweek.com contributors at Digital ID World. Their insights are worth checking out. And check out our own recent coverage of the future of Web services security, WS-Next. We'll address some criticisms we received on that story below.

1. The Three Layers Of Identity: Enterprise, B-To-B, And Public

Identity management is often most associated with public services like Microsoft Passport. On the other end of the spectrum, most enterprises are used to dealing with access-control issues, including authenticating users onto networks and into applications.

Identity management, as the term fits today, encompasses both those extremes and more. Understanding what is meant by identity management—and what technologies, specifications, and standards address which scenarios—is important for making the right vendor and architecture decisions.

"Right now, our customers are still in, I wouldn't say shock, but they're still trying to digest all of these developments and what it means to them," said Nand Mulchandani, founder and chief technology officer of Oblix. "People get confused where SAML gets used, where Passport gets used, and where [enterprise access-management systems like Oblix's] NetPoint get used."

According to Nand and other experts, enterprises should consider three top-level use cases for identity: enterprise, B-to-B, and public.

Already today, many large enterprises—from Boeing to American Airlines to Best Buy—are rolling out major enterprise sign-sign on projects (more on that below). Corporate single sign-on really doesn't require any of the standards that are emerging; administration is centralized so so-called federation standards like Liberty aren't a must-have. An enterprise can also manage its rollout so something like SAML, which is great for authentication interoperability, isn't as important in an intranet environment as in other scenarios.

Still, the drivers for enterprise identity management are strong—and they have mainly to do with simplifying administration of user identities and saving the help desk from having to spend all its time helping users recover passwords. As a side benefit, simplified sign-on should stop individual users from resorting to absolutely frightful—from a security perspective—ID management processes, such as taping their passwords to their PC or using the phrase "password" since its so easy to remember.

"The enterprise ROI and business case for single sign-on is just so very clear," said Oblix's Mulchandani.

The next use case is B-to-B, and this is where SAML becomes to come in. Consider, for example, Boeing Corp., which runs a corporate extranet that sees literally thousands of trading partners looking to gain access to its collaborative applications at any time. By deploying an SAML-based solution, Boeing can let is access systems exchange SAML security information with other, non-Boeing systems—essentially stitching together a single identity network that spans its enterprise and its trading partners.

Finally, the third model is the world of public identity. And this is where the concept of federation comes in. Consider a user sitting on the Dell or IBM Web site. He's looking to buy a PC. In a Liberty scenario, the site would issue a SAML token—Liberty is strongly based on SAML—which would not only log the user in on that site but could potentially be passed on to other parties, such as a shipping company like FedEx or UPS, without requiring the user to log in again.