Eclipse, Novell near 'Big Bang' for identity

Two open-source identity management projects said on Monday that they had achieved a key milestone in the development of open-source identity services that connect products regardless of maker or platform.

Developers from Novell's Bandit open-source project and Higgins, part of the Eclipse Project, said a new "reference application" created by the two groups is a working example of open-source identity services that interoperate with Microsoft’s Windows CardSpace identity management system and Novell's Access Manager, which uses identity federation based on specifications from the Liberty Alliance. The application shows that it is possible to link different identity systems using open-source components, according to Dale Olds, project manager for Bandit at Novell.

The integration, which has been under development for over a year, will be on display next week at the RSA Conference in San Francisco. Part of the demonstration will show how companies can integrate a non-Liberty Alliance identity system and a Liberty Alliance-based federated identity system provided by Novell Access Manager. In particular, the demonstration will have Novell Access Manager authenticate a user via Microsoft's CardSpace using information from an external identity system. In the demonstration, users will be able to access a sample media Wiki and blog using the technology, Olds said.

The vendors involved in the integration are working to realize a common vision of seamless identity layers that can be accessed from systems running on Apple OS, Microsoft Windows, or Linux, using a variety of protocols from the Liberty Alliance, OpenID, OASIS, or other groups.

"That's the Big Bang. An identity metasystem, and we're making tangible progress toward that vision," Olds said.

In contrast to current systems for linking identity systems, the technology on display at RSA will also be more "user-centric," by virtue of integration with Microsoft's CardSpace, Olds said. "The user will have a meaningful and convenient access to identity information, and it will be clear to them when it's being released," he said.

Microsoft's CardSpace -- and the Infocard architecture that underlies it -- is an important development because it provides an easy way for users to store and manage identity information and because CardSpace and Infocards will be widely available through Windows Vista.

Microsoft provided open specifications for CardSpace and helped manage intellectual property issues that were raised when implementing the Infocard technology as open source, Olds said. Engineers from IBM also played a part in the solution, building token services for the project, said Paul Trevithick of Parity Communications, technical lead on the Higgins Project.

But optimistic "interoperability" demonstrations of federated user identities have been de rigueur at RSA for years now without any measurable decline in the number of user identities and passwords that users manage or the tangle of identity stores within enterprises, Olds and Trevithick admit.

One problem in realizing the vision of an open-source identity layer is that tends to commoditize existing identity management products, creating a perverse incentive for companies that are in a position to make interoperable identities work, Trevithick said.

"That may be the reason you hear about interoperability but still haven't seen it," he said. "Companies like Oracle and IBM and even Novell have no incentive to do it."

Olds said that previous attempts at interoperability have been premised too much on one set of protocols by groups like the Liberty Alliance "winning out" over others.

"It was kind of 'If only we could get everyone to adopt these protocols!'" Olds said.

The open-source nature of the Higgins and Bandit integration and a critical mass of CardSpace users may finally overcome those obstacles, however.

"This is an evolutionary approach," said Olds. "We all have 100 user accounts. With Higgins and Bandit and open-source technologies, maybe we'll get it so it's more manageable and we're down to 50 user accounts in a year, and we'll be better off. "