RSA 2006: Hunger grows for federated ID

By Bill Brenner, Senior News Writer 16 Feb 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The RSA Security conference will be held in San Jose, Calif., the week of Feb. 13, and one of the issues to be addressed there will be federated ID management. This story looks at federated ID trends for the coming year.

For Koch Industries, authenticating user identities is no easy task. The Wichita, Kansas.-based enterprise is actually a collection of companies stretched across several industries, including energy, chemical technology, ranching, paper, securities and finances. It has a presence in about 50 countries. Many offices function independently, with their own individual computer networks.

With the Internet you need ID portability. That's what federated identity is about. And with the world we're in now, the technology supporting it is a reality--mobile technology, decoupled systems. Christopher Ceppi, Ping Identity

This creates a big challenge when it comes to authentication, said Donald Walker, Koch Industries' technology risk manager. And it's one reason he's looking at federated ID management as a possibility for the future.

"If we were all part of one big network we would have less of an interest in federated ID," Walker said. "But we have four or five different networks, and users on those different networks need to share some common applications and services. Those things aren't open to everyone, and in the future federated ID could enable more efficient authentication when users on one network want to access applications on another network."

He has reservations, though. Legacy applications that build up on the network over time may not behave properly with federated ID and will have to be tweaked. That would be difficult for a company with "many, many legacy applications," he said. "Until someone comes along to change the legacy apps, it will still ask for a user name and password. They'll have to be rewritten."

But federated ID enthusiasts say that headache is a small price to pay when one considers the technology's benefits. They believe it's the best way to securely authenticate users and prevent online thieves from impersonating others, especially in an age where business is becoming increasingly virtual and decentralized. "With the Internet you need ID portability. That's what federated identity is about. And with the world we're in now, the technology supporting it is a reality--mobile technology, decoupled systems," said Christopher Ceppi, business development director of Ping Identity during a panel discussion on federated ID during last April's InfoSec World confab in Orlando, Fla.

And thanks to the Security Assertion Markup Language (SAML) 2.0, advocates say the technology is quickly headed for mainstream use. SAML 2.0 passed a series of interoperability tests and was approved as a formal standard by the Organization for the Advancement of Structured Information Standards (OASIS) in early 2005. On its Web site (www.oasis-open.org), the organization says SAML 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information.

More on federated ID management Is single sign-on ready for prime time? Learning Guide: Understanding your authentication options Liberty Alliance begins SAML 2.0 testing in July

Since its adoption, vendors with tools incorporating SAML 2.0 have lined up for testing conducted by the Liberty Alliance--a global consortium of vendors and users working to develop open federated identity standards for Web services. Roger Sullivan, vice president of Oracle's Identity Management Solutions division and chairman of Liberty Alliance's Conformance Expert Group, said there's been a lot of pent-up demand for federated ID products.

"People knew SAML 2.0 was around the corner, so they held back from federating with new clients," Sullivan said. But with the testing that began last July, he said, "the logjam is breaking free." There have been two rounds of testing so far and a third is planned for spring 2006, he said.

"We're moving rapidly now in the direction of the mainstream," he said, adding that a big example is the federation link Fidelity Investments and the Social Security Administration have established.

"This is so the user can federate between those two entities and do a direct deposit of their Social Security check into their Fidelity account," he said. "The simple elegance of the technology makes it so easy for the user to go from one site to another. Companies that can do this--federate with the Social Security Administration--that really gives them a competitive edge."

SAML 2.0 is an important step because different organizations--OASIS and Liberty Alliance, for example--came together to develop the standard for the common good, Sullivan said, adding, "A lot of vendors worked toward the common interest of solving a universal problem: how to facilitate network identity-based transactions. It's about making it as easy as it is with human beings making face-to-face transactions in the real world; doing those transactions in a networked world and knowing that the person you're dealing with is truly the person they say they are."

Vendors whose products have passed the SAML 2.0 smell test so far include RSA Security, The Electronics & Telecommunications Research Institute, Ericsson, IBM, NEC Corp., Novell, Oracle, Reactivity, Sun Microsystems and Trustgenix.

"Every vendor who participates says, 'My customers want me to be here,'" Sullivan said. "It shows the customers want vendors to go through this test before they will be willing to try their product."

And, he said, it shows there's a hunger in the marketplace for federated ID management.

Tags: Enterprise Single Sign-On (SSO),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Single Sign-On (SSO) How to log in to multiple servers with federated single sign-on (SSO) Security on a budget: How to make the most of authentication tools Best Identity and Access Management Products Changing times for identity management Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Enterprise Single Sign-On (SSO) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary onboarding and offboarding  (SearchSecurity.com) single sign-on  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary