Managing user identities is becoming a bottleneck in many web services projects, and standards uncertainty is hampering attempts to automate the process.
| ||express delivery|
| print comment|
|Accurate user identity information is the key to security when linking up systems, but emerging standards leave customers in a dilemma:|
- Denmark's Immigration Service operates a portal for other government users to access its data
- But identity management creates unwanted admin
- It would like to provide direct web services access using SAML
- But many of its partners have not yet adopted the standard
- Other standards from WS-Security and Liberty will be needed for full automation
Glossary terms: digital identity, SAML, WS-Security, OASIS, Liberty Alliance, lookup tool
Denmark's Immigration Service, which has embarked on a major web services initiative to provide information to other Danish government departments and ultimately the general public, fears that it faces growing costs to manage user access privileges unless it can automate the management of multiple identities. Its ability to do so depends partly on how quickly standards are ratified and, in turn, how fast its identity management software supplier can absorb the standards in its own applications.
The Immigration Service, which provides information on foreign nationals to a wide range of government departments, decided over a year ago to expose data through web services to overcome the difficulties of accessing its proprietary database. It discovered, however, that most other government departments lagged behind in terms of technical maturity. As an interim measure, it set up a portal that allows external users to log on and access the same services via a web browser. It implemented identity management software from Oblix to handle the administrative overhead of registering and maintaining user IDs. That system, based on one of the first web services implementations in the government, brings real-time electronic access to communications processes that previously went through the postal mail.
Now, according to IT project manager Osip Mikunis, some of its government partners are ready to bypass the portal and call the web services direct, which in theory could generate significant savings in administrative overhead. Take, for example, a government department that's making a payment to a foreign national and wants to check with the Immigration Service whether the recipient's entitled to stay in the country. At the moment, the Immigration Service has to register the department in its portal and administer access for each individual user within the Oblix ID management system. Instead, the external department should be able to call the relevant web service within Immigration, and have its own directory system validate the user's ID, giving its users direct access to the Immigration Service information with a single sign-on.
The problem facing the Immigration Service, however, is that for this to work, both departments have to adhere to the same standards for exchanging ID management information. Oblix currently supports SAML, the Security Assertion Markup Language, which wraps security information up as an XML document and sends it from one system to another. But while SAML, which is promoted by ecommerce standards body OASIS, is seen as a pivotal standard, it's not the only game in town, nor is it enough on its own to complete a fully automated solution. Another OASIS initiative that's also in play, originally instigated by Microsoft and IBM, is the WS-Security framework, which encompasses several layers of related specifications. Meanwhile, the Liberty Alliance, a consortium of vendors and users set up to define standards for federated ID management, is pushing a separate initiative.
This uncertain standards picture complicates matters for individual IT groups trying to implement a web services infrastructure. As Mikunis says: "If one of our partners has to call our system protected by SAML, they have to have something that inserts SAML into the SOAP request but there are not many systems now on the market that support SAML. That's the dilemma should I try to wait while our partners purchase some SAML-compliant software, or should I tell them I'm supporting whatever security standard exists today and they may choose from any number of ways?"
For now, the Immigration Service has taken the latter route, and implemented software from Westbridge Technology to act as a gateway to authenticate non-SAML SOAP traffic. This overcomes the immediate problem, but it's not a long-term solution, since the Westbridge broker has to be manually configured with information about each partner's specific set-up (and manually updated each time the set-up changes). In the medium term, Immigration's ability to provide the flexibility that its partners need while automating the entire authentication process will depend on how quickly the identity management industry settles on standards and how fast Oblix and other vendors can support them.
Prakash Ramamurthy, vice president of products and technology at Oblix, says the company's vision is to position its NetPoint SHAREid product as a federated ID broker that supports SAML, WS-Security, and eventually Liberty. Oblix is already working with Microsoft on elements of WS-Security and has a working prototype, and Ramamurthy added that it will support the standard "once it's fully blessed and ratified". Some observers believe that ratification of the next layer of WS-Security standards WS-Trust and WS-Federation could be as soon as Q1 of next year.
Liberty, meanwhile, has contributed its work on federated identity to OASIS, and elements will be incorporated into the next version of SAML, which is likely to be released in the first half of 2004. If necessary, Oblix will additionally work on supporting separate Liberty specifications.
Oblix can already point to successful adoption of SAML for federated identity management in the airline industry. US carrier Southwest Airlines adopted Oblix to manage identities and roles in-house, and the programme was subsequently extended to Boeing to allow Southwest mechanics to access the aircraft manufacturer's systems without requiring a second set of sign-on credentials.
This kind of sector-specific initiative is likely to drive the emergence of federated identity standards going forward. What the industry will be keen to avoid, however, is the emergence of multiple standards or multiple flavors of standards that are customized within industries. That piecemeal approach was a characteristic of past e-business standardization initiatives, such as the emergence of electronic data interchange and more recently of XML itself.
In the meantime, the Danish immigration service has a further set of challenges on hand when it comes to offering electronic access to the public. "Ideally, I want to get rid of the interactive portal," says Mikunis. "We're a relatively small organization with limited IT resources if I allow public access I will have hundreds of thousands of people I have to manage." In effect, he points out, that's similar to running an e-business site the significant difference being that no money will be generated. Any solution is likely to involve issuing digital signatures to individuals Denmark's central tax office already allows residents to file tax returns using a digital signature mapped to their social security number. But given the limited resources available to the Immigration Service and the current state of standardization, the automation required to make this a manageable proposition remains, for now, a distant dream.
More on this topic
Web services require a new layer of security ...
Home page of the Danish Immigration Service
Oblix case study of the Immigration Service project (PDF, 667k)