Open source identity

A complete identity management solution comprises a number of components. As such, it would be difficult for any single open source project to offer a plug-and-play identity management system. There are, however, a number of projects that offer components of such a system, particularly in the area of federation and SSO (single sign-on).

In the SSO department, Yale University has developed a set of Java servlets called CAS (Central Authorization Service), which is provided under Yale's own license and which many U.S. universities currently use. Another toolkit -- similarly under a custom license -- is the JOSSO (Java Open Single Sign-On) Project, which offers hooks for ASP, PHP, and Java applications.

Both these projects are very SSO-specific and won't provide a strong foundation for a complete identity infrastructure. On the other hand, efforts to develop standards for identity federation -- including SAML, the WS-* stack, and the various standards that the Liberty Alliance proposed -- are promising, and a number of open source efforts are already under way in this space. For more information about this topic, see "Identity's federated future."

Ping Identity is the sponsor of SourceID , an identity federation toolkit that provides support for the SAML 1.1 and Liberty-ID-FF 1.1 protocols under both Java and .Net, with additional support for Liberty-ID-FF 1.2 under Java only. The libraries allow developers to implement features such as cross-domain SSO and attribute queries. The code is provided under SourceID's own license. It also forms the basis of PingFederate, Ping Identity's commercial identity federation server.

Perhaps the most ambitious open source federated identity effort is Shibboleth, a project of Internet2's Middleware Architecture Committee for Education. Designed primarily for use by educational institutions on the Internet2 network, Shibboleth is a complete authentication and access control system for Web-based resources, built around SAML and released under a custom license. The software is pure Java, and a number of organizations -- including universities, libraries, and the Napster digital music service -- currently have it in production use.

None of the open source identity offerings mentioned here are for the faint of heart. All require some development expertise and a thorough understanding of the local network environment in order to be implemented effectively. If a complete identity management solution is what you're looking for, you would be well-advised to seek out the various commercial vendors. As interest in identity management continues to grow, however, it's likely that some of these projects -- particularly Shibboleth -- will gain greater prominence.