Vendors team on WS-Federation standard

Spec said to make it easier to move identities between infrastructures

Microsoft Corp., IBM Corp. and five companies that make identity management software are teaming to support the Web Services (WS) architecture and WS-Federation standard for sharing user identities across corporate extranets and the Internet, they announced Tuesday.

Netegrity Inc., Oblix Inc., RSA Security Inc., OpenNetwork Technologies Inc. and Ping Identity Corp. used Microsoft's Tech Ed conference in San Diego to demonstrate their products working together using the WS-Federation standard. The companies say that backing the WS standards will encourage the adoption of Web services by making it easier to move user identities between different technology infrastructures.

Introduced in July 2003, the WS-Federation specification was developed by IBM and Microsoft and is one of seven technical specifications, including WS-Security, that make up the WS architecture. WS-Federation describes a standard technology framework for creating and authenticating user identities, then using Web services to share that identity within a company, with customers or business partners.

The goal is to make it easier for users to move between different Web services environments without having to manage different user names and passwords or to continually log on and log off. For example, customers might take advantage of federated identity when moving from an employee Web portal offering access to a health maintenance organization and one offering access to retirement account information.

With broad support among software vendors for the WS architecture and WS-Federation standard, companies that want to deploy new Web services or build Web services bridges with partner companies won't have to worry about compatibility between different identity management platforms or extra integration work to get different platforms to work together and share information, said Michael Stephenson, group product manager of the Windows Server Group at Microsoft.

"Regardless of the software they use, whether its Microsoft, Netegrity, IBM, this will allow interoperability in a seamless manner," he said.

While the integration at Tech Ed was just a demonstration, the partner companies hope to offer more comprehensive integration of their products, based on the WS architecture in the future.

Microsoft will be modifying its Windows Server product to allow user and resource identities stored in active directory to be shared with environments using enterprise identity management products such as Netegrity's SiteMinder and Oblix's SHAREid, he said.

RSA said that it will offer support for WS-Federation in early 2005.

Bill Bartow, vice president of engineering at Netegrity, said in a statement that his company's products already support the WS-Security specification and that Netegrity is committed to support WS-Federation. Oblix will support WS-Federation after the specification is approved or adopted by the industry, according to a company statement.

The WS architecture builds on work done by other groups, including the Organization for the Advancement of Structured Information Standards (OASIS), which created the SAML (Security Assertion Markup Language), an XML (Extensible Markup Language) framework for exchanging user authentication information, and the Liberty Alliance, which has focused on creating interoperability between SAML installations. Working with companies like VeriSign Inc., RSA and SAP AG, IBM and Microsoft added new elements specifically focused on Web services deployments, such as WS-Policy, a framework for creating and communicating policies that govern interactions in a Web services environment, said Dan Blum, senior vice president and research director at The Burton Group.

The Tech Ed demonstration is a sign that Web services is moving toward realization, after years of work developing the underlying technology frameworks, Blum said.

"It's a proof of concept and a sign of progress, but there's still a lot of work left to finish the (WS) specifications and deliver the dream," he said.

The breadth of the WS architecture and the backing of major players should help cement the WS architecture as the accepted Web services standard.

"It would make more sense to combine SAML and Liberty with (the WS architecture) than to create a new Web services standard," he said.

At least one participant in the Tech Ed demonstration sees evolution, more than conflict, shaping the development of standards for Web services.

"Its not an either-or with the Liberty Alliance and WS-Federation," said Amit Jasuja, vice president of product management at Netegrity. "The standards for federation are maturing, with each subsequent release, they're converging and taking new requirements from new communities."

Despite a show of unity from leading vendors, customers shouldn't expect to see real integration between identity management platforms until the release of the next version of Windows, code-named "Longhorn," in 2006, Blum said.

In the meantime, IBM and Microsoft should turn the WS specifications over to a standards group such as OASIS or the Internet Engineering Task Force, before they go too far in integrating it with their own products, or risk competing versions of the standard -- one backed by leading vendors, and the other by the standards community, he said.

Copyright © 2004 IDG Communications, Inc.

How to choose a low-code development platform