With Liberty and single sign-on for all

The Liberty Alliance Project seeks to solve the current online identity crisis

If you spend much time online, chances are you have established more than one online identity. On Yahoo!, you're JS133xyz and on Slashdot, you're known as KlingonB. To your mortgage company, you're jsmith123, but to your bank and online broker, you're jsmith134 (because jsmith123 was already taken). You get the idea.

Currently, each of your online identities stands independent of the others. This situation has its benefits and its drawbacks. One drawback: independent identities force you to manage all your online identities -- you must remember each identity's name and password and other information, such as your credit card number, that you've associated with each. In my case, the situation has grown so complicated that I must use an application to store and manage everything. However, each identity represents only a small portion of your online activity -- this is a benefit. Because each identity is independent, linking your activities across these identities to more clearly profile your habits online is a difficult task, thus you enjoy a small amount of anonymity. Do you want others tracking everything you do online?

Whether good or bad, the situation won't last much longer. In mid-1999, with little reaction considering the source, Microsoft announced its Passport service. Passport is a single sign-on solution built on Microsoft technology. At the time, it seemed that Microsoft would just leverage its large Hotmail user database and the intellectual property the company gained after acquiring Firefly to drive users to other Microsoft properties, such as MSN (Microsoft Network) or other partner properties. It wasn't until Microsoft unveiled .Net, announced the first services that required Passport, and clarified its plans to wire Passport into every piece of technology they control, that the industry woke up and took notice. One outcome of that awakening: the Liberty Alliance Project.

The Liberty Alliance Project: History, members, and goals

Organized and officially introduced to the world in September 2001, the Liberty Alliance Project is nothing if not ambitious. In spite of being less than half a year old, it manages to weld together 38 influential companies that represent, if you believe the marketing material, over one billion network identities. Sun Microsystems provided the organizing and motivating force behind the Liberty Alliance Project. Other notable members include the Apache Software Foundation and O'Reilly & Associates, both staunch supporters of open source software; a handful of representatives from the Fortune 500, including General Motors, Bank of America, and Sprint; and a broad collection of technology companies, such as VeriSign, RealNetworks, and Cisco. AOL Time Warner, an early hold out, eventually joined after scrapping its own plans to build a single sign-on solution leveraged by its own hefty user base.

Remarkably little detailed information, technical or nontechnical, is available about the Liberty Alliance Project. The organization seeks to define a set of standards and to create the technology necessary to build a universal identity infrastructure. Beyond the technology, it will establish the policies that govern the interactions between online communities.

To date, the Liberty Alliance Project has released no software, only press release-ware. However, if you read the project's literature, you quickly learn that their plan revolves around the concept of federated identity.

What is federated identity?

The Liberty Alliance Project plans to define the technology that will enable federated identity -- a term that is, at first glance, difficult to grok. The term federated identity emerges from the notion that different organizations (government, military, business, and so on) already offer solutions for managing identity within their spheres of interest. However, these spheres don't link together. An identity in one sphere cannot reliably map to an identity in another. This fact seriously impedes seamless interoperability between the systems and applications in each sphere.

The Liberty Alliance Project seeks to build bridges between identities in these different spheres. A federated identity is the union of a person's or an organization's identities across all spheres. My federated identity, the most complete picture of me available in cyberspace, is the union of all the individual identities I have defined for each service I use or subscribe to.

Single sign-on

For the user, federated identity provides only the means to an end -- the end being single sign-on. As a user interacts with different Websites and Web applications today, he must authenticate himself to each site or application, even if he uses the same name and password on each. The user's authenticated identity does not follow the user as he surfs the Web. In a single sign-on environment, the user authenticates himself only once, and that authentication stays in effect for the length of the online session.

You can get a feel for how single sign-on works by examining Microsoft Passport. With Microsoft Passport, once a user logs in to Passport at one participating site, the user can log in to any participating site simply by clicking the Sign In button displayed on that site's Webpage. This mechanism is certainly more convenient than looking up or trying to remember each site's appropriate name and password.

You don't need federated identity to realize single sign-on. Passport originally sought to solve the single sign-on problem by creating a centralized authentication mechanism. Since all Websites and Web applications would authenticate users against this centralized mechanism, the user would have to enter a name and password only once.

Centralization is not an entirely bad idea. Unfortunately, many individuals and organizations cringe at the thought of a centralized authentication mechanism under Microsoft's control. Moreover, Microsoft's solution ignores the reality that many authentication mechanisms already exist, and that solution owners are not going to rip out these mechanisms simply to replace them with Passport. Any successful solution must support these legacy systems. Therefore, in practice, a federated solution is mandatory.

What will Liberty Alliance's solution look like?

Microsoft Passport is already in play; the Liberty Alliance Project is five months old. To get something off the ground in time to counteract the massive advantage that Microsoft Passport now enjoys, Liberty Alliance must adopt an existing solution.

The project has a number of solutions to choose from. Kerberos offers an excellent choice. It's trusted, mature, widely used, and has been handling distributed authentication tasks for more than a decade. More interestingly, it forms the basis for Microsoft's recently announced federated version of Passport. Sun's Java 2 Platform, Standard Edition (J2SE) 1.4 will include client-side support for Kerberos via the GSS-API (Generic Security Services Application Program Interface), which will ensure support for applications written in Java.

I'm purely speculating about Kerberos support, however. Ultimately, the solution developed by the Liberty Alliance Project will affect Java developers in the same way the creation of the Java 2 Platform, Enterprise Edition (J2EE) affected them: it will reduce the number of APIs that a programmer must know to build applications.

Currently, several vendors provide products that let organizations manage identity within that organization's boundaries. All such products are proprietary and largely noninteroperable now. Once a standard is unveiled and blessed by the Liberty Alliance Project, vendors will feel pressure to conform to the standard. In time, all the important products will conform. As is now the case with J2EE, developers will then be able to select products that best meet their needs and pay less attention to the programming interface's details.

The following figure illustrates the relationship between such a scheme and the standard Java APIs. J2SE provides APIs for cryptography and low-level security (Java Cryptography Extension (JCE)), secure socket-based communication (Java Secure Socket Extension (JSSE)), and pluggable authentication and authorization (Java Authentication and Authorization Service (JAAS)). The proposed standard would work with the existing APIs. For example, you could implement single sign-on as a JAAS module that transparently pulled authentication information from the user's environment if that user had already successfully authenticated during the current session.

Potential relationship between Liberty Alliance solution and Java APIs

Neither Passport nor the Liberty Alliance solution will enjoy widespread adoption for quite a while. No one has ever tried to deploy distributed authentication on the scale proposed by the Liberty Alliance Project or Microsoft. As they develop their respective solutions, the following problems will crop up:

  • Speed: Distributed authentication comes with more overhead and will therefore require more time to authenticate users
  • Synchronization of the databases holding aspects of a user's federated identity
  • Security of the overall solution: Passport has demonstrated this, if nothing else

More unanswered questions

Technical issues aside, plans to implement any authentication infrastructure of the scope of those being designed demand answers to challenging questions. At the top of my list is the nagging question of who really benefits from this technology. Single sign-on definitely eases a user's online activity. Unless, of course, that user's sign-on information is accidentally or maliciously distributed to unauthorized parties, thereby jeopardizing that unfortunate user's entire online identity.

On the other hand, joining a dozen or more previously separate and disconnected online identities into one provides companies with previously unavailable power to track, inspect, and analyze our online behavior. I can't shake the feeling that businesses, not individuals, reap the benefits of single sign-on.

Another question involves standards. The Liberty Alliance Project is committed to developing open standards, however, the project has not yet clarified whether it will submit these standards to a recognized standards body.

Liberty Alliance: Politics as usual?

Microsoft Passport provides online businesses and individuals with single sign-on capability now. The Liberty Alliance Project seeks to counter Passport's threat by developing technology that will attack Passport at its weakest point -- centralized control of the authentication infrastructure.

To be successful, Liberty Alliance doesn't have to produce an implementation or even a specification -- although it would be nice if it did. The project just needs to convince Microsoft to play ball and open up its solution. In that sense, half or more of the Liberty Alliance Project's mission relates to politics, not technology. Like many technologies, the usefulness of any single sign-on solution increases as more companies and products use it.

Todd Sundsted has been writing software since computers became available in desktop models. His interests include security, distributed computing, and the dynamics of massively fine-grained architectures. In addition to writing, Todd codes.

Learn more about this topic

Related: