Identity Management
Dec 18th, 2006 by abbot
As we increase our use of services being developed as part of Web 2.0, we find more services linked together and more integrated applications. A year ago, Dick Hardt, CEO of Sxip Identity sat down with IT conversations to talk about “Identity 2.0: Identity Protocols, Today and Tomorrow.” ZDNet posted an article back in May, “The Many Players at IIW.” IIW is the Internet Identity Workshop. Of course, I have to point out Phil Windley’s blog Technometria. Phil is the author of the O’Reilly book, “Digital Identity,” a man who knows what he is talking about.
Dick Hardt stated, “The identity management industry needs a common approach to secure, role-based access and compliance reporting for the enterprise and open source projects like Bandit from Novell and Higgins are a great step in that direction. We see this as a natural compliment to the user-centric Identity 2.0 efforts being made with SXIP and DIX and are excited to work with them on adding support of Bandit, Higgins and eDirectoryTM.”
Now talking with a friend of mine, Vincent Tillman, he pointed out that the problem is that at some level projects must interoperate in a large enterprise. The Security Assertion Markup Language (SAML) (for real-time management) and Liberty (federation/trust between systems) seem to always be mentioned in the “going-to-be” supported category. Another, the Service Provisioning Markup Language (SPML), allows resources (e.g. , Oracle Db) and managers (e.g., Tivoli or Sun IdM) to create and manage accounts by calling standard (web) services. SPML and SAML both are Web Services initiatives for standard account and access management. I’ll just mention that the OASIS general membership voted to accept SPML v2.0 as an OASIS Standard. SAML v2.0 was accepted by OASIS back in March 2005.
I am going to quote from IT Conversations, “Hardt differentiates Identity 1.0 from Identity 2.0 by describing the move from a directory centric environment where authentication means simply that your identity is registered on a web site’s directory to a user centric environment where an identity can truly be applied to a variety of web sites. He believes this will happen because the recent history of technological initiatives shows that open and simple wins out.”
To add this idea, I’ll quote redmonk, ” Identity 2.0 systems are interested in using the concept of a user’s identity as a declarative bundle of claims about the user: from things like their name, address, to less traditional things like their desires, customer service history, and other attributes that are usually not so much associated with a user identity. That’s the first big leap of Identity 2.0 think: a user’s attributes should be associated with that user’s identity..”
For an example of Identity 2.0, and keeping it in the open source area, take a look at OpenID. To quote the site, “OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.” It is a decentralized digital identity system, in which any user’s online identity is given by URL (such as for a blog or a home page) or an XRI in the latest version, and can be verified by any server running the protocol.
Wikipedia adds, “On OpenID-enabled sites, Internet users don’t need to create and manage a new account for every site before being granted access. Instead, they only need to be able to authenticate with a trusted site that supports OpenID, called the identity provider (or IdP, sometimes called an i-broker). The identity provider can then confirm ownership of the user’s OpenID identifier to other OpenID-enabled sites, called relying parties or RPs. Unlike most single sign-on architectures, OpenID does not specify the authentication mechanism. Therefore, the strength of an OpenID login depends on how much a relying party knows about the authentication policies of the identity provider. Without such knowledge, OpenID is not meant to be used on sensitive accounts (banking, e-commerce transactions, etc.), but if an identity provider uses strong authentication, OpenID can be used for all types of transactions..”
Sounds like an interesting idea. The need to maintain duplicate user data within an organization is a problem. It gets worse as services are moved outside an organization. This is the advantage of a distributed authentication system like OpenID. On the backend, you can authenticate from any data source, including but not limited to LDAP. Even the inclusion of a user information from legacy systems is possible. When Access Control Lists become a reality, it will be possible to eliminate any user data from ever being stored on any site other than the central source accessed by the OpenID server.
After the Digital ID World conference John Fontana, Senior Editor, Infrastructure for Network World magazine, wrote in his article Higgins lays out roadmap for open source identity project that
The Higgins group plans to release a middleware piece called the Identity Attribute Service that acts as a layer on top of identity repositories such as directories or applications. It can aggregate data from multiple sources in real-time and bundle them into a single identity credential. The idea is to link to data without having to move it around the network.
Mark Wahl writes, “There are several ways of looking at these APIs. One is that they are conceptually similar to APIs such as Active Directory Service Interfaces (ADSI) or Java Naming and Directory Interface (JNDI), in that they provide an abstraction to enable an application to be independent of the API of a lower layer access protocol. In this view, Higgins would offer a higher level abstraction as well as a different set of supported protocols: OpenID, WS-Trust and LDAP instead of Novell Netware, NIS and LDAP.”
I have written more than intended on this topic. A very interesting area, which I will revisit later. For now, I just wanted to point out a few concepts and links.
