Liberty Alliance publishes Phase 2 specs

Industry consortium The Liberty Alliance Project has published the final version of its Phase 2 specifications and named five...

Industry consortium The Liberty Alliance Project has published the final version of its Phase 2 specifications and named five companies releasing identity management products to support the latest standards.

The Phase 2 Liberty Identity Federation Framework finalises a draft standards document released in April. They aim to make web services easier to deploy and ensure that they comply with laws for securing privileged user information.

Web services allow businesses and business applications to use open technology standards such as XML (Extensible Markup Language) and Soap (Simple Object Access Protocol) to communicate with each other and with customers over corporate intranets or the internet.

Phase 2 builds upon standards laid out in Phase 1 for sharing user authentication information, such as user names and passwords among organisations. They add guidelines for sharing other user attributes in addition to authentication information, according to Sai Allavarpu, group business manager for network identity services at Sun Microsystems, a founding member of The Liberty Alliance.

The new standards will make it possible to link user accounts at two or more organisations exchanging information in a web services transaction, sharing data such as billing information, credit card numbers and shipping information. That will make "mainstream" Web services deployments possible, where they were not with just the Phase 1 specifications, Allavarpu said.

"Phase 2 bakes privacy into the [web services] architecture. When you share data with businesses you can decide what kinds of conditions and controls you want to place on that data," he added.

The Phase 2 specifications also introduce new features such as a "resource owner interaction service" that will allow users to be contacted on mobile devices such as mobile phones and confirm requests to share their user informationaid.

For example, a book ordered on might generate a request from FedEx, sent to the user's  mobile phone or mobile device, to allow FedEx to share the shipping address with Amazon.

Those kinds of services may be particularly attractive to telecommunications companies in Europe and the US, which are eager to expand the number of premium services they can offer their phone customers, but which also must contend with privacy regulations that restrict the sharing of customer information, according to Burton Group analyst Dan Blum.

With a robust identity framework that the secure exchange of useful information about user demographics and preferences, telecoms companies will find it easier to market and sell new services such as games, restaurant recommendations and applications.

Vodafone Group intends to use Liberty Phase 1 and Phase 2  standards in its intranet and commercial service platforms. Liberty said Vodafone platform, which releases in 2004 and 2005, will include the specifications.

Sun said a version of the Java System Identity Server, due out in early 2004, will also support Phase 2 specifications. A beta version of Identity Server supporting the Phase 2 specifications is available for Sun customers to test.

Formerly known as Sun One Identity Server, the Java System Identity Server integrates features such as directory services, access management, user management, single sign-on and user self-service, in addition to federated identity using The Liberty Alliance Phase 2 specifications.

The latest version of Identity Server is designed to reduce the custom software integration customers need to perform when deploying identity and access management systems based on the Liberty specifications.

The product will also support delivery and authentication from mobile devices, including features for detecting the type of mobile device being used and formatting web content to fit the device's screen and resolution requirements.

Liberty has also published a "Privacy and Security Best Practices" document on its website, to help companies navigate the tricky legal waters regarding information practices worldwide. The document includes Liberty Alliance security and privacy recommendations as well as information on addressing common internet network vulnerabilities.

IBM and Microsoft published a competing identity management framework, Web Services Federation Language, or WS-Federation, in July.

The Liberty Alliance has a good lead on IBM and Microsoft, but the various standards, including efforts by the Organisation for the Advancement of Structured Information Standards, will need to converge at some point in the future as web services deployments become more widespread and complex, Blum said.

With the growth in web services implementations, companies are beginning to look more seriously at using technologies such as SAML (Security Assertion Markup Language), an XML-based authentication framework, and at the Liberty Alliance specifications.

Paul Roberts writes for IDG News Service

Read more on IT strategy