A secure ID is one of the key underlying systems for most in-house IT systems, but as we move into a Web 2.0 world, does this go far enough? We really need a federated ID that is still secure for in-house systems, but also enables the IT department to contemplate Web 2.0-style interactions which are increasingly driving a lot of the new business value. Of course there is nothing new about this, but it’s a lot easier to describe the requirement than to deliver the solution. Everyone has some level of an ID solution already, and federation means getting lots of different people and enterprises to agree on a common interest being as important, if not more important than their own interests.
The wish list has been in place for some time now, as well as some of the basic ingredients to build on, so we are now in the boring but critical phase of real ‘nuts and bolts’ work. I assume it’s for this reason that the announcements of real success didn’t hit the headlines too far after the ‘sexy’ announcement that the problem was being address. So what and where have we got to now?
Microsoft just announced beta 2 of its ‘cloud’ (suppose they had to add the term cloud, but it’s not just about clouds, federated IDs are just a fundamental requirement) ID management product: code named Geneva. There is a full write up on the Microsoft Blogs at MSDN. What got me excited is that Microsoft had not previously been too enthusiastic about supporting an approach based around Security Assertion Mark-up Language, SAML. Instead, they have wanted to base ID on their own approach to the W3C Web Services Specification – Federation, sometimes known as WS-F.
Others in the Industry have been in general agreement over the adoption of SAML, but now in Geneva beta 2 not only is there full support for SAML, but there are also some really good examples to prove that it works with four important partners: SAP, Sun, Novell and CA. That means we have five major software providers actually demonstrating they really can make the basics of an interoperable ID work. But hidden in this statement is something pretty important. The interoperability is achieved by what I will call a ‘sensible compromise’, though of course there are critics who say that Geneva is using SAML in the wrong way. You can read up on this in detail at the NetworkWorld blog which states ‘Microsoft Geneva could be genius, but sceptics abound’.
SAML is actually in two major parts: an open token called the SAML Assertion; and the profiles with ancillary information that manages the tasks of sign on, etc. In Microsoft’s approach to WS-F, the separation between the two parts is complete and allows a number of different, but recognisable security tokens – such as Kerberos – to be used. The positive side is that this makes it possible for an enterprise using the Microsoft version of WS-F to work with a number of different enterprises that already have some security token management scheme in use. The negative side is that the token is supposed to be a SAML Assertion to ensure that a full and correct WS-F implementation is in place between the two enterprises.
Actually, SAML is a lot more complicated than this, and I should point out that there is SAML SPLite to make the use of the standard easier. In particular, it’s worth knowing that the US Government has a defined specification for support SAML which some claim to be the ‘guide’ to use.
However, to get any standard between enterprises in place requires enough early adopters in the first wave to drive the less enthusiastic to join in on the basis of peer pressure and align with the new expectation. At the root of this is the argument on cost and ease of adoption. So to me this looks like a sensible and very workable way to achieve a wider adoption of secure IDs, an increasingly necessary aspect for both online business and ‘Everything as a Service’, XaaS and – of course – there is also the fact that some top providers of ID and Sign On capabilities have joined in, to prove it works.
No doubt there will be some posts saying that half-hearted support for any secure standard is no good, but to me, taking the sheer scale of the Microsoft footprint in the market and the other elements in the Geneva platform including a Framework for making .Net developed code ‘aware’ of the Microsoft WS-F capabilities, plus some real abilities to interact with some other key players, it’s a change worth noting.