Liberty Alliance Details Identity Architecture

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Moving to put its stamp on a standards-based method for federated network identity, the Liberty Alliance Tuesday unwrapped plans for a complete identity infrastructure.

The alliance published a white paper outlining the Liberty Alliance Federated Network Identity Architecture, which the organization said is a complete infrastructure that it hopes will resolve many of the technology issues currently hindering deployment of identity-based Web services.

"We're providing a clear view of not just where we're at but where we're headed," Simon Nicholson, chair of the Business Marketing Expert Group at Liberty and manager of Industry Initiatives and Alliances at Sun Microsystems , told internetnews.com. "This is a blueprint for what we're building."

Michael Barrett, president of the Liberty Alliance management board and vice president of Internet Technology Strategy at American Express, added, "Federated network identity is more than just simplified sign-on, as illustrated by our direction. Establishing and sharing your identity is critical to any kind of reciprocal relationship. Just as you wouldn't typically begin a business relationship in the real world without an introduction, you wouldn't enter a business relationship in the online world without establishing and proving your identity."

Under the Liberty Alliance's architecture, identity consists of traits, attributes and preferences. Traits are issued by governments, like driver's licenses and passports, and companies, like employee status and intranet sign-in information, as well as biometric characteristics. Attributes and preferences are specified as characteristics associated with an individual, like a person's airline seating preferences, music preferences, purchasing history or medical history. The Liberty Alliance said attributes and preferences can go beyond individuals to include devices and processes. For instance, they can define a type of device (phone, desktop or kiosk) and its capabilities (text, HTML, audio, etc.).

Together, traits, attributes and preferences comprise an identity, and the relationship between an individual and an entity determines which elements of that identity should be shared. By establishing a federated network identity that links various user identities together, Liberty Alliance argues that identity control and privacy can be maintained while also providing users with ease-of-use and rapid access.

"A federated network identity delivers the benefit of simplified sign-on to users by granting rapid access to resources to which they have permission, but it does not require the user's personal information to be stored centrally," the white paper explained. "This increases security and delivers better identity control. With a federated network identity approach, users authenticate once and can retain control over how their personal information and preferences are used by the service providers. A federated network identity is also beneficial for businesses because it allows them to more easily conduct business transactions with authenticated employees, customers and p partners."

Most early work on the creation of federated identities have occurred within the enterprise, but the networks are beginning to form across enterprises and Nicholson said he expects to see more forming in the coming year. Liberty Alliance calls a group of service providers that share linked identities and have business agreements in place a "circle of trust".

According to Liberty Alliance, a circle of trust's attribute sharing policies are typically based on:

  • A well-defined business agreement between the service providers
  • Notification to the user of information being collected
  • The user granting consent for types of information collected
  • Recording both notice and consent in an auditable fashion, where appropriate.

Once identity is established, the actual architecture which enables federated network identity management consists of a number of modules.

The first is the Liberty Identity Federation Framework (ID-FF), which is responsible for identity federation and management. Nicholson stressed that Liberty Alliance has focused on not invalidating existing identity management investments, noting that ID-FF can be used on its own or in conjunction with existing identity management systems.

"We're not suggesting people throw away what they've already made," he said, adding that 14 of Liberty Alliance's member companies already sell or shortly will be selling identity management products. "It's important to preserve those investments."

The ID-FF framework is designed to work with heterogeneous platforms and with all sorts of network devices, from personal computers to mobile phones, PDAs and emerging devices. ID-FF features include:

  • Opt-in Account Linking, which allows a user with multiple accounts at different Liberty-enabled sites to link the accounts for future authentication and sign-in at those sites
  • Simplified Sign-On, allowing a user to sign-on once at a Liberty ID-FF enabled site and to be seamlessly signed-on when navigating at another Liberty-enabled site without the need to authenticate again. Liberty Alliance said simplified single sign-on is supported both within and across circles of trust
  • Fundamental Session Management, enabling companies or organizations that link accounts to communicate the type of authentication that should be used when a user signs-on. It also enables global sign-out
  • Affiliations, which lets a user choose to federate within a group of affiliated sites
  • Anonymity, allowing a service to request certain attributes without needing to know the user's identity
  • Protocol for the Real-time Discovery and Exchange of Meta Data, allowing the real-time exchange of meta data (such as X.509 certificates and service endpoints) between Liberty-compliant entities.

Liberty Alliance has already released ID-FF.

The second module includes industry standards such as SAML, HTTP, WSDL, XML, etc. Nicholson explained, "We don't want to reinvent stuff that already exists." Much of the schema behind Liberty Alliance's architecture depends on standards and specifications created within OASIS, W3C, and IETF.

The third module, the Liberty Identity Web Services Framework (ID-WSF), is a foundational layer that defines a framework for creating, discovering and consuming identity services. Liberty Alliance said it will allow entities to offer users personalized services. ID-WSF's features include:

  • Permission Based Attribute Sharing, allowing companies or organizations to offer individualized services based on attributes and preferences that the user chooses to share
  • Identity Service Discovery, giving service providers to dynamically and securely discover a user's identity services
  • Interaction Service, which details protocols and profiles for interactions that will allow services to obtain permission from a user to allow them to share data with requesting services
  • Security Profiles, which describes profiles and requirements for securing the discovery and use of identity services
  • Simple Object Access Protocol (SOAP) Binding, a SOAP-based invocation framework for identity services which defines SOAP Header blocks and processing rules
  • Extended Client Support, for enabling hosting of Liberty-enabled identity based services on devices without requiring HTTP servers or being addressable from the Internet
  • Identity Services Templates, which provide the building blocks for implementing an identity service on top of the ID-WSF.

Liberty Alliance expects to release ID-WSF in mid-2003.

Finally, the fourth module, Liberty Identity Services Interfaces Specifications (ID-SIS), are a collection of specifications for interoperable services built on top of ID-WSF. Planned for release in the 2003-2004 timeframe, services utilizing ID-SIS may include registration, contact book, calendar, geo-location, presence or alerts. Liberty Alliance said these independent services will be made interoperable through implementing Liberty protocols for each specific service.

The first ID-SIS Liberty Alliance plans to make available will be the Personal Profile Identity Service (ID-Personal Profile), which will define schemas for basic profile information of a user, including name, legal identity, legal domicile, home and work addresses. It can also include phone numbers, e-mail addresses and some demographic information, public key details, and other online contact information. Liberty Alliance explained that by providing organizations with a standard set of attribute fields and expected values, it hopes to create a dictionary or common language which will allow them to speak to each other and offer interoperable services.

Submit a Comment

Loading Comments...