Liberty specification released

The Liberty Alliance released specifications for its federated, single sign-on user identification system last week, writes Eric...

The Liberty Alliance released specifications for its federated, single sign-on user identification system last week, writes Eric Doyle.

The project aims to provide a series of open specifications that will build into a multiplatform system that can be used by software developers to create a digital identity management system.

The system will compete with Microsoft's Kerberos-based Passport but, whereas Passport users have to register and store their details with Microsoft, the Liberty Alliance system will allow users to store personal details with a trusted third-party of their choosing, such as a bank, or even allow them to spread their details across several third parties.

The Liberty Alliance system is based on the Security Assertion Markup Language (SAML), which has been submitted to the Organization for the Advancement of Structured Information Standards for approval and is expected to be ratified in November. The standard will then be given to the World Wide Web Consortium for adoption.

Several companies have announced that products based on the standard will be available around the end of this year. IBM will incorporate SAML into its Tivoli Access Manager and RSA Security will start to implement it across its product range, starting with RSA Cleartrust. RSA also plans to develop a security product based entirely on SAML in the next three months.

Sun Microsystems has pledged to incorporate the system as part of the Solaris Unix operating system.

In-house developers are expected to show an interest in the system for integrating single sign-on into corporate networks to allow simpler connection to multiplatform systems and across the Web into partner sites. The specifications can be downloaded free of charge from the Liberty Alliance Web site.

SAML version 1.0 covers the signing-on process and can be implemented in two ways. A user can designate one user name and password to allow signing-on to several Web sites, such as their bank, building society and credit card companies. When using their current sign-on, the user specifies which account family they wish to link from in future.

In the e-commerce world, several suppliers can form a "trust ring" whereby they agree that validated customers can be allowed to enter one another's sites after signing on with just one of them. This means that a customer who buys an airline ticket online could be directed to the site of a car hire firm or a hotel chain to complete their travel plans without needing to sign in separately to each one.

Future specifications from the Liberty Alliance will allow users to lodge personal information, including credit card details, with a selected trusted party. They will then be able to control how much of this information is disclosed to a third party. For example, a request for a white paper might only need to disclose the name and the postal or e-mail address of the user but a purchase would require credit card card details too.

The ability to direct the service provider to the required information would save the user from tedious form-filling sessions as they move from Web site to Web site.

The question of the Liberty Alliance and Microsoft going head-to-head in the single sign-on market depends on whether Microsoft chooses to join the alliance. Neither organisation has ruled out working together but how this would work in practice will depend on Microsoft.

Read more on IT risk management