A secure ID is the starting point for most in-house IT systems, but we really need a federated ID that is still secure for most of what we are now contemplating in terms of the people based Web 2.0 style interactions that are driving a lot of the new business value today. No where is this more important than for eGovernment or more particularly for eCitizens to use IDs they already have. Of course there is nothing new about this, but it’s a lot easier to describe the requirement than to deliver the solution if for no other reason than we are not starting with a clean sheet of paper, i.e. everyone has some level of an ID solution already, and, federation means getting lots of different people and enterprises to agree on a common interest being as important, if not more important than their own interests.
The wish list has been in place for some time now, as well as some of the basic ingredients to build on, so we are now in the boring, but critical phase of actually getting some real basic hard ‘nuts and bolts’ work done. I assume it’s for this reason that the announcements of some very real success didn’t hit the headlines, too far after the ‘sexy announcement’ and too much around the boring engineering detail. So what and where have we got to now?
Microsoft have just announced beta 2 of their ‘cloud’, ( suppose they had to add the term cloud, but it’s not only about clouds, federated IDs are just a fundamental requirement), ID management product code named Geneva and there is a full write up on the Microsoft Blogs at MSDN here. http://blogs.msdn.com/usisvde/archive/2009/05/12/simplify-user-access-secure-collaboration-across-organizational-boundaries-with-geneva-beta-2.aspx What got me excited is that Microsoft have previously not been too enthusiastic about supporting an approach based around Security Assertion Mark-up Language, SAML, instead they have wanted to base ID on their own approach to the W3C Web Services Specification – Federation, sometimes known as WS-F.
Others in the Industry have been in general agreement over the adoption of SAML but now in Geneva beta 2 not only is there full support for SAML, but some really good examples to prove it works with four important partners; SAP, Sun, Novell and CA. That means we have five major software providers actually demonstrating they can really make the basics of an interoperable ID work, but hidden in this statement is something pretty important. The interoperability is achieved by what I will call a sensible compromise, though of course there are critics who say that Geneva is using SAML in the wrong way. You can read up on this in detail at the NetworkWorld blog http://www.networkworld.com/community/node/41779 which states ‘Microsoft Geneva could be genius, but sceptics abound’.
SAML is actually in two major parts; an open token called the SAML Assertion; and the profiles with ancillary information that manages the tasks of sign on, etc. In Microsoft’s approach to WS-F the separation between the two parts is complete and allows a number of different, but recognisable security tokens to be used such as Kerberos as an example. The positive side is that this makes it possible for an enterprise using the Microsoft version of WS-F to work with a number of different enterprises that already have in use some security token management scheme. The negative side is that the token is supposed to be a SAML Assertion to ensure that a full and correct WS-F implementation is in place between the two enterprises.
Actually SAML is a lot more complicated than this and I should point out that there is SAML SPLite to make the use of the standard easier and in particular its worth knowing that the US Government has a defined specification for support SAML which some claim to be the ‘guide’ to use.
However to get any standard between enterprises in place requires enough adopters in the first wave to drive the less enthusiastic to join in on the basis of peer pressure to confirm with the new expectation. At the root of this is the argument on cost and ease of adoption so to me this looks like a sensible and very workable way to achieve a wider adoption of secure IDs, an increasingly necessary aspect for both online business and ‘Everything as a Service’, XaaS, and of course there is also the fact that some of the other top providers of ID and Sign On capabilities have joined in to prove it works.
Okay no doubt there will be some posts saying that half hearted support for any secure standard is no good, but to me taking the sheer scale of the Microsoft footprint in the market, and the other elements in the Geneva platform including a Framework for making .Net developed code ‘aware’ of the Microsoft WS-F capabilities, plus some real abilities to interact with some other key players, and it’s a change worth noting.