Liberty Alliance releases ID management spec

The Liberty Alliance Project released a specification to explain how the organisation's federated identity model could co-exist...

The Liberty Alliance Project released a specification to explain how the organisation's federated identity model could co-exist with Microsoft's .net Passport and other identity management systems.

The white paper, "Identity Systems and Liberty Specification version 1.1 Interoperability", compares and contrasts the consortium's federated identity model against .net Passport, Verified by Visa and other third-party authentication systems.

The paper was written to address the misconception that Liberty was a service akin to Microsoft's .net Passport, said Paul Madsen, the paper's author and a consultant in the Advanced Security Technologies group at Entrust.

"The paper was motivated less to define a framework for Liberty working together with other systems than to address confusion in the marketplace about what Liberty was and how it would work with other systems, and sometimes compete with those other systems."

The white paper also points out fundamental technical differences between .net Passport and the Liberty specifications.

For example, The Liberty Alliance specifications back the use of Security Assertion Markup Language (SAML) for exchanging authentication tokens as compared with Passport's proprietary schema, and the two authentication systems differ in the way they communicate tokens from one site to the next.

"There were a lot of misconceptions about how Liberty compares to Passport. We wanted to set out the differences and, recognising those, set out some scenarios where Liberty and Passport can exist," Madsen said.

The white paper also proposes a number of scenarios in which .net Passport and Liberty might work together. For example, a third-party website might act as an identity provider in a Liberty "circle of trust" (COT), creating SAML assertions for other service providers while also existing as a Passport member site, processing tokens issued by would then act as a "mediator" between the Liberty-governed domain and the Passport domain, converting Passport tickets into SAML assertions and vice versa.

In the future, the development of Web Services Security standards that are supported by both Liberty and Passport may make the differences between the systems less relevant by stipulating how information and security tokens can be requested and exchanged as part of web services implementations.


Read more on Antivirus, firewall and IDS products