The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: June 23, 2008
Liberty Alliance Specifications for Federated Network Identification and Authorization

Overview

The Liberty Alliance Project is a consortium of commercial and non-commercial organizations working to "support the development, deployment and evolution of an open, interoperable standard for federated network identity. The vision of the Liberty Alliance is to enable a networked world in which individuals and businesses can more easily conduct transactions while protecting the privacy and security of vital identity information.To accomplish its vision, the Liberty Alliance will establish an open standard for federated network identity through open technical specifications that will: (1) Support a broad range of identity-based products and services; (2) Enable commercial and non-commercial organizations to realize new revenue and cost saving opportunities that economically leverage their relationships with customers, business partners, and employees; (3) Provide consumers with choice of identity provider(s), the ability to link accounts through account federation, and the convenience of single sign-on, when using any network of connected services and devices; (4) Increase ease of use for e-commerce consumers; and (5) Help to stimulate e-commerce." [LA website description 2002-07]

Specifications

[November 12, 2003]   Liberty Alliance Publishes Final Phase 2 Specifications and Previews Phase 3.    An announcement from the Liberty Alliance Project describes the final publication of Phase 2 Specifications in the Liberty Identity Web Services Framework, along with the Liberty Privacy Guidelines for Federated Identity. The announcement also sketches a roadmap for Liberty Alliance Phase 3 deliverables that will benefit from member participation in two new expert groups. A Services Expert Group was formed "to define and manage the process for creating new service specifications," and a Conformance Expert Group (CEG) was formed "to define and manage the process for validating interoperability between vendors' implementations of the Liberty Alliance standards." New Service Interface Specifications planned for Liberty Phase 3 include: (1) a Contact Book Service Interface, providing a "common method for users to manage and share personal or business contacts regardless of contact book provider, enabling service providers to access or automatically update, at the user's request, information like billing or shipping address"; (2) a Geo-location Service Interface, "supporting an interoperable way to automatically identify a person's location, at the user's request, to provide services like weather, news, travel or currency updates or directions to a chosen location"; (3) a Presence Service Interface "defining a common way for users to share presence information. The new Liberty Web Services Framework provides organizations with an open, standards-based way of delivering identity-based web services that can enable new revenue opportunities, cut internal IT costs, and make web services more secure and private. Because the Liberty specifications are built on existing open industry standards such as SAML, SOAP, XML and WS-Security, they can be deployed and supported in any environment and maximize an organizations investment in non-proprietary standards." The announcement identifies five companies that have announced plans to support the Phase 2 Liberty specifications in existing or new products and services.

Phase 2 Specifications

[April 15, 2003]   Liberty Alliance Releases Phase 2 Specifications for Federated Network Identity.    The Liberty Alliance Project has published draft versions of its Phase 2 specifications and guidelines for identity-based web services. The technical specification drafts provide three new elements to Liberty Alliance's Federated Network Identity Architecture. The Liberty Identity Federation Framework (ID-FF) version 1.2 now includes protocols for Affiliations and Anonymity. Liberty Identity Web Services Framework (ID-WSF) provides for Permissions-Based Attribute Sharing, Identity Discovery Service, Interaction Service, Security Profiles, and Extended Client Support. An initial service interface specification 'Personal Profile' is part of the Liberty Identity Service Interface Specifications (ID-SIS). "Drafts of security and privacy implementation guidelines as well as a Privacy and Security Best Practices document are also introduced with the Phase 2 draft specifications. These documents highlight global privacy laws and fair information practices, as well as provide implementation guidance for organizations using the Liberty Alliance specifications to build identity-based services. A Liberty Alliance public interoperability event being held at the RSA 2003 conference is bringing together 20 of the industry's leading hardware, software, mobile device and service companies; these companies will showcase how Liberty's Phase 1 specifications for opt-in account linking and simplified sign-on can be used today in numerous business scenarios. Liberty's specifications, which are developed collaboratively by members representing various industries and organizations across the globe, are open and free for anyone to download. The specifications support and include other open industry standards like SAML, SOAP, WAP, WS-Security and XML. This allows businesses to implement Liberty-enabled products and services confidently, knowing they will interoperate with the company's infrastructure and the infrastructure of its customers and business partners."

Version 1.1 Specifications

[November 19, 2002]   Liberty Alliance Releases Draft Version 1.1 Specifications for Public Review.    The Liberty Alliance Project has released a public review draft of its version 1.1 specifications. This maintenance update incorporates feedback received from members and non-members during the last three months. The version 1.1 document suite is the first to be issued by the Liberty Alliance for public input. The Liberty Alliance Project represents "an alliance of more than 130 technology and consumer organizations formed to develop and deploy open, federated network identification specifications that support all current and emerging network devices in the digital economy. Its specifications focus on enabling interoperability between technology systems to make it easy for businesses to provide opt-in account linking and simplified sign-on functionality to partners, customers and employees." The version 1.1 draft specification suite includes two XML Schema files corresponding to the Protocols and Schema Specification and the Authentication Context Specification. The Liberty Bindings and Profiles Specification defines concrete transport bindings and usage profiles for the abstract Liberty protocols. Supporting documents include an Overview, Glossary, and Implementation Guidelines. In addition to the editorial changes, the v1.1 specification fixes a vulnerability in a Liberty-enabled Client/Proxy Profile and includes minor enhancements to provide additional flexibility in the specifications for identity and service providers. The public review period extends through December 16, 2002.

Documents:

Version 1.0 Specifications

On July 15, 2002 the Liberty Alliance Project released its version 1.0 open federated network identity specifications, and several vendors at the Burton Group Catalyst Conference in San Francisco have announced plans today to deliver Liberty-enabled products and services. The Liberty Alliance Project is a an alliance (60+ members) formed to deliver and support a federated network identity solution for the Internet that enables single sign-on for consumers as well as business users in an open, federated way. The version 1.0 specifications focus on interoperability between systems to enable opt-in account linking and simplified sign-on functionality. This allows users to decide whether to link accounts with various identity providers and makes it easier for both consumers and businesses to take advantage of the growing Web services space." Specific functionality outlined in version 1.0 includes: (1) Opt-in account linking; (2) Simplified sign-on for linked accounts; (3) Authentication context; (4) Global log-out; (5) Liberty Alliance client feature. The six-part specification includes: Architecture Overview, Architecture Implementation Guidelines, Authentication Context Specification, Bindings and Profiles Specification, Protocols and Schemas Specification, and a Technical Glossary. "The Liberty Alliance specifications leverage industry-standard security and data transfer protocols, including the Security Assertion Markup Language (SAML), developed OASIS; SAML is quickly becoming the de-facto means for exchanging user credentials between trusted environments."

Liberty Alliance V1.0 Specification Overview:

This specification defines a set of protocols that collectively provide a solution for identity federation management, cross-domain authentication, and session management. This specification also defines provider metadata schemas that may be used for making a priori arrangements between providers.

The Liberty architecture contains three actors: Principal, identity provider, and service provider. A Principal is an entity (for example, an end user) that has an identity provided by an identity provider. A service provider provides services to the Principal.

Once the Principal is authenticated to the identity provider, the identity provider can provide an authentication assertion to the Principal, who can present the assertion to the service provider. The Principal is then also authenticated to the service provider if the service provider trusts the assertion. An identity federation is said to exist between an identity provider and a service provider when the service provider accepts authentication assertions regarding a particular Principal from the identity provider. This specification defines a protocol where the identity of the Principal can be federated between the identity provider and the service provider.

This specification relies on the SAML specification [defined in SAML Core]. In SAML terminology, an identity provider acts as an Asserting Party and an Authentication Authority, while a service provider acts as a Relying Party.

Liberty Alliance specification version 1.0 documents:

  • Liberty Bindings and Profiles Specification. Edited by Jason Rouault (Hewlett-Packard Company). Version 1.0. Reference: liberty-architecture-bindings-and-profiles-v1.0. 11-July-2002. 57 pages. "This specification defines the bindings and profiles of the Liberty protocols and messages to HTTP- based communication frameworks. This specification relies on the SAML core framework in [SAMLCore] and makes use of adaptations of the SAML profiles in [SAMLBind]. A separate specification, ['Liberty Protocols and Schemas Specification'], is used to define the Liberty protocols and messages used within the profiles."

  • Liberty Architecture Overview. Edited by Jeff Hodges (Sun Microsystems, Inc.). Version 1.0. Reference: liberty-architecture-overview-v1.0. 11-July-2002. 41 pages. "The path to realizing a rich, fertile federated identity infrastructure can be taken in phases. The natural first phase is the establishment of a standardized, multivendor, Web-based single sign-on with simple federated identities based on today's commonly deployed technologies. This document presents an overview of the Liberty Version 1.0 architecture, which offers a viable approach for implementing such a single sign-on with federated identities. This overview first summarizes federated network identity, describes two key Liberty Version 1.0 user experience scenarios, summarizes the Liberty engineering requirements and security framework, and then provides a discussion of the Liberty Version 1.0 architecture."

  • Liberty Protocols and Schemas Specification. Edited by John D. Beatty (Sun Microsystems, Inc.). Version 1.0. Reference: liberty-architecture-protocols-schemas-v1.0. 11-July-2002. 27 pages. "This specification defines the abstract Liberty protocols for identity federation, single sign-on, name registration, federation termination, and single logout. Several concrete bindings and profiles of these protocols are defined in the 'Liberty Bindings and Profiles Specification'. This specification uses schema documents conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded SAML assertions and protocol messages."

  • Liberty Architecture Glossary. Edited by Hank Mauldin (Cisco Systems, Inc.). Version 1.0. Reference: liberty-tech-glossary-v1.0. 11-July-2002. 13 pages. "This document is intended to provide a reference of terms, which ensures that when discussing identity solutions for the Internet and, in particular, the solution defined by the Liberty Alliance, a common understanding of their meaning exists. This document is not intended to be a complete and authoritative compendium of all terms used when discussing network identity, but rather a comprehensive list of definitions for concepts used in the whole Liberty scope."

  • Liberty Authentication Context Specification. Edited by Paul Madsen (Entrust, Inc.). Version 1.0. Reference: liberty-architecture-authentication-context-v1.0. 11-July-2002. 35 pages. "This specification defines a syntax for the definition of authentication context statements and an initial list of Liberty authentication context classes... Authentication context is defined as the information additional to the authentication assertion itself that the service provider may require before it makes an entitlements decision... Liberty will not prescribe a single technology, protocol, or policy for the processes by which identity providers issue identities to Principals and by which those Principals subsequently authenticate themselves to the identity provider... If the service provider is to place sufficient confidence in the authentication assertions it receives from an identity provider, it will be necessary for the service provider to know which technologies, protocols, and processes were used or followed for the original authentication mechanism on which the authentication assertion is based. Armed with this information and trusting the origin of the actual assertion, the service provider will be better able to make an informed entitlements decision regarding what services the subject of the authentication assertion should be allowed to access."

  • Liberty Architecture Implementation Guidelines. Edited by Lena Kannappan (France Telecom) and Matthieu Lachance (Openwave Systems Inc.). Version 1.0. Reference: liberty-architecture-impl-guidelines-v1.0. 11-July-2002. 12 pages. "This document defines the recommended implementation guidelines and checklists for the Liberty architecture focused on deployments for the service-providing entities: service providers, identity providers, and Liberty-enabled clients or proxies (LECPs). It is intended to provide recommended implementation guidelines to Liberty component developers to help them decide what they need to implement to meet their business needs... The document also provides a checklist of requirements based on the following Liberty architecture specification categories that implementers can use to advertise their supported feature set: (a) Functionality in the Liberty protocols and schemas described (b) Bindings and profiles defined for each Liberty protocol type (specific interactions between identity providers, service providers, and LECPs) (c) The authentication request and reply context-specific information."

Specification description from the FAQ document:

On July 15, 2002 the Liberty Alliance announced public availability of its version 1.0 specifications, the consortium's open, platform-agnostic specifications for federated network identity. The version 1.0 specifications focus on interoperability between systems to enable opt-in account linking and simplified sign-on functionality. This allows users to decide whether to link accounts with various identity providers and makes it easier for both consumers and businesses to take advantage of the growing Web services space. The Liberty Alliance also released guidance on how its next set of specifications will build on the version 1.0 specifications.

The Liberty version 1.0 specifications are the first step in building an open federated identity platform that will enable users to link their accounts with various disparate identity providers. Specifically, the first specifications enable the following features:

  • Opt-in account linking: Users can choose to link accounts they have with different service providers that are within "circles of trust" (existing business agreements or affinity programs)
  • Simplified sign-on for linked accounts: Once a user's accounts are federated, he/she can log in and authenticate at one linked account and navigate to another linked account without having to log in again.
  • Authentication context: Institutions or companies linking accounts can communicate the type and level of authentication that should be used when the user logs into different accounts.
  • Global log-out: Once a user logs-out of the site where they initially logged in, the user can be automatically logged-out of all of the other sites the user linked to and still maintains a live session.
  • Liberty Alliance client feature: This can be implemented on particular client solutions in fixed and wireless devices to facilitate use of the Liberty version 1.0 specifications.

The Liberty version 1.0 specifications do not involve the exchange of personal information, but rather a format for exchanging authentication information between companies so as to not reveal the identity of the user. The user may maintain separate identities in different locations.

Network identity refers to the global set of attributes that are contained in an individual's various accounts with different service providers. These attributes include such information as name, phone numbers, social security numbers, addresses, credit records and payment information. For individuals, network identity is the sum of their financial, medical and personal data-which must be carefully protected. For businesses, network identity represents their ability to know their customers and constituents and reach them in ways that bring value to both parties.

Federated network identity means consumers and businesses can allow separate entities to manage different sets of identity information. Account federation enables associating, connecting or binding a user's multiple Internet accounts within an affiliated group established between or among commercial and non-commercial organizations and governed by some legal agreement. Federated single sign-on enables users to sign on with one member of an affiliate group and subsequently use other sites within the group without having to sign-on again.

[The version 2.0 specifications] will extend the simplified sign-on capabilities in version 1.0 and enable organizations to share certain personal information of users according to the permissions and preferences granted by the user. The Alliance also anticipates that the next set of specifications will enable organizations to link and extend their service offerings between various "circles of trust" or industries.

Principal URLs

Related Topics

News, Articles and Commentary

  • [June 23, 2008] "Liberty Alliance Announces First Release of Identity Governance Framework Components. Consortium Releases CARML (Client Attribute Requirements Markup Language) and Privacy Constraints Draft Specifications to Protect Personally Identifiable Information Across Applications and Networks." — "Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced the first public release of components of the Liberty Identity Governance Framework. Developed with wide cross-industry support, the Liberty Identity Governance Framework (IGF) is the industry's first programmatic and auditable open standards-based initiative designed to help organizations better govern and protect identity-related employee, customer and partner information as it flows across heterogeneous applications and networks. The IGF helps organizations meet regulatory requirements such as the European Data Protection Initiative, Gramm-Leach-Bliley Act, PCI Security Standard, and Sarbanes-Oxley by allowing enterprises to more easily determine and control how identity information, including personally identifiable information (PII), is used, stored and propagated across diverse systems, helping to ensure the information is easily auditable and not abused, compromised or misplaced. For example, with the IGF, an enterprise that may require customers to submit a social security number as part of account registration, could easily monitor which applications need to have access to social security numbers to ensure that only authorized credit verification services have direct access to this information. Two draft specifications are included in today's release: CARML Specification: The CARML specification is a policy format that applications, devices, and services can use to characterize required identity data, coupled with privacy constraints governing use. It allows auditors and deployers to understand what identity information an application requires so that services can be deployed flexibly over enterprise identity architectures based on LDAP, Liberty SAML 2.0 Federation, WS-Trust, and Liberty Web Services (ID-WSF). Privacy Constraints Specification: The Privacy Constraints specification provides a means of expressing commitments and obligations about identity data. It defines a small set of privacy terms, concerned with purpose, propagation, storage and display of identity data, which can be further profiled for use by industry verticals and national jurisdictions..."

  • [March 20, 2008] "Liberty Alliance Web Services Framework: A Technical Overview." A Liberty Alliance Project Technical Report. By Conor Cahill (Intel), Carolina Canales (Ericsson), Hubert A. Le Van Gong (Sun Microsystems), Paul Madsen (NTT), Eve Maler (Sun Microsystems), Greg Whitehead (HP). Version 1.0. February 14, 2008. 16 pages. "This overview document enumerates the major features of Liberty Web Services, a framework for identity-based services that provides added value for identity, security, and privacy above and beyond basic web services, and thereby makes identity data portable across domains. The term Liberty Web Services comprises the Identity Web Services Framework (ID-WSF) and the Identity Service Interface Specifications (ID-SIS) that take advantage of that framework. Together, these two pieces enable identity-based services — web services associated with the identity attributes of individual users. Why are identity-based services valuable? Fundamentally, because they enable a user's identity data to be portable across the many Web applications that, if able to access these attributes, can provide a more customized and meaningful experience to the user, whilst removing from that user the burden of manually repeatedly providing and managing their identity attributes at each. ID-WSF builds on many existing standards for networking and distributed computing, and adds specialized capabilities for handling identity-related information and tasks and for ensuring privacy and security. With ID-WSF providing the addressing, security and privacy plumbing — different ID-SIS specifications define the specific syntax and semantics for sharing different slices of your identity attributes. For instance, a Calendar SIS specifies how the travel service would query the user's Calendar Service for free blocks, or write an event. Other ID-SIS specifications either already exist or can be defined for other aspects of your identity, e.g., The user's personal profile, geolocation, presence, or wallet... An identity-based service is a web service associated with a particular user, i.e., a web service at which a user's calendar information can be accessed. Identity-based services require functionality beyond that necessary for basic web services not associated with a given user — particularly in the areas of identity, security, and privacy. Liberty ID-WSF specifications define the addressing, security and privacy plumbing — and different Liberty ID-SIS specifications define the specific syntax and semantics for sharing different slices of identity attributes. Together, ID-WSF and ID-SIS make identity data portable in a secure and privacy-respecting manner..." See also Eve Maler's blog. [PDF source]

  • [February 13, 2008] "Liberty Alliance Schedules Four Public Interactive Webcasts to Review and Finalize Identity Assurance Framework Criteria Consortium Releases Updated Version of the IAF as Organizations Worldwide Participate in Review and Development Process." Announcement February 13, 2008. "Liberty Alliance, the global identity consortium working to build a more trusted internet for consumers, governments and businesses worldwide, today released the latest version of the Liberty Identity Assurance Framework (IAF). The IAF is a policy-based organizational framework being developed collaboratively within the Liberty Alliance Identity Assurance Expert Group and corresponding public special interest group to advance trusted identity federations based on standardized and certified identity assurance levels. The latest version of the IAF is based on recent input from over 40 representatives from the global financial services, government, telecom, healthcare, system integrator, and technology sectors and is available for additional review and comment. Liberty Alliance formed the Identity Assurance Expert Group (IAEG) to foster adoption of identity trust services. Utilizing initial contributions from the e-Authentication Partnership (EAP) and the U.S. E-Authentication Federation, the IAEG's objective is to create a framework of baseline policies, business rules, and commercial terms against which identity trust services can be assessed and evaluated. The goal is to facilitate trusted identity federation to promote uniformity and interoperability amongst identity service providers. The primary deliverable of IAEG is the Liberty Identity Assurance Framework (LIAF). The LIAF leverages the EAP Trust Framework and the US E-Authentication Federation Credential Assessment Framework (CAF) as a baseline in forming the criteria for a harmonized, best-of-breed industry identity assurance standard. The LIAF is a framework supporting mutual acceptance, validation, and life cycle maintenance across identity federations. The main components of the LIAF are detailed discussions of Assurance Level criteria, Service and Credential Assessment Criteria, an Accreditation and Certification Model, and the associated business rules. Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. Liberty Alliance is also announcing four public webcasts, each designed to review and gather industry input into primary sections of the IAF as the Framework moves to final during 2Q of 2008...

  • [December 18, 2007] Liberty Alliance Publishes SAML 2.0 Interoperability Testing Matrix. Announcement: "Liberty Alliance Announces First Companies to Pass Full-Matrix SAML 2.0 Interoperability Testing. November Liberty Interoperable Event First to Test Over the Internet and Against US GSA SAML 2.0 Profile Requirements." — Liberty Alliance announced that products from Hewlett-Packard, IBM, RSA (The Security Division of EMC), Sun Microsystems, and Symlabs, Inc. have passed Liberty Alliance testing for SAML 2.0 interoperability. The Security Assertion Markup Language (SAML) Specification Version 2.0 was approved as an OASIS Standard in March 2005. Products and services passing SAML 2.0 interoperability testing included: Hewlett-Packard's HP Select Federation 7.0; IBM's Tivoli Federated Identity Manager, version 6.2; RSA's Federated Identity Manager 4.0; Sun Microsystems' Java System Federated Access Manager 8.0; Symlabs Inc's Federated Identity Suite version 3.3.0. The vendors participated in the November 2007 Liberty Interoperable event administered by the Drummond Group Inc. and are the first to pass full-matrix testing Liberty Alliance incorporated into its interoperability program this year. All of these vendors also passed Liberty Alliance testing against the US GSA SAML 2.0 profile, meeting the prerequisite interoperability requirements for participating in the US E-Authentication Identity Federation. Liberty Alliance continually enhances the Liberty Interoperable program to meet cross-industry demands for proven interoperable identity solutions. The November event was the first to conduct Internet-based and full-matrix testing. Internet-based testing allows vendors to participate in the same interoperability event from anywhere in the world. Full-matrix testing requires each vendor to test with every other participant to ensure testing mirrors real word identity federation interoperability requirements. The breadth and depth of these testing procedures provides deploying organizations with assurances that products have proven to interoperate with each other across the widest possible range of deployment scenarios..." See also the Matrix.

  • [March 22, 2007] "Liberty Alliance Releases New Specifications for Linking Digital Identity Management to Consumer Devices." — "Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, announced the release of the Advanced Client specifications designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers, and televisions. The Advanced Client is a set of specifications and technologies that leverage the proven interoperability, security and privacy capabilities of Liberty Federation and Liberty Web Services to allow users to conduct a wide range of new identity-based transactions from any device. The Advanced Client is part of Liberty's roadmap to deliver an end-to-end digital identity management framework that provides enterprise users and consumers with increased identity management functionality across all networks and devices. The set of platform independent specifications were developed to extend identity management capabilities such as single sign-on, access to Web Services, stronger authentication and user-controlled provisioning to client devices. The Advanced Client will allow users to securely store identity data on a device and access and manage the information when the device is either connected to a network or offline... The Advanced Client represents the third phase of Liberty's ongoing work in delivering increased identity management functionality to client devices. In phase one Liberty Alliance defined the LECP (Liberty Enabled Client/Proxy) which was incorporated into SAML 2.0 and supports federation operations as the Enabled Client/Proxy. The Active Client is part of phase two and provides client-based Web services functionality, single sign-on into Liberty Web Services and support for any authentication model. Work on the Robust Client specifications, phase four, is underway. These phase four specifications will support trusted digital identity relationships, mobility modules and provide a platform for facilitating client-based universal strong authentication. Advanced Client relies on ID-WSF 2.0 (Liberty Web Services) which includes support for WS-Addressing and WS-Security specifications. The specific functionality included in the Advanced Client specifications released in draft form includes: Trusted Module: The Advanced Client acts as an extension of the identity provider (IdP) offering protocol support for trusted model capabilities and able to function when the IdP is not present. The specifications allow the client to assert assurances on behalf of the authority issuing the identity in a closed and protected environment such as a smart card or other tamper resistant mechanism within the client device. Provisioning: The Advanced Client supports full life-cycle provisioning of data and/or functionality to the client over the air in a privacy sensitive and secure manner. Service Hosting/Proxying (SHPS): Allows a service, such as a calendar or e-commerce profile to be hosted on a client device, such as a cell phone or laptop. The specifications allow others to interact with the service via a proxy based on the security, privacy and permission controls established by the user and when the device is either on or offline..."

  • [January 23, 2007] "Liberty Alliance Announces openLiberty Project. Consortium Leverages Global Leadership in Developing Secure and Privacy-Respecting Identity Standards to Support the Worldwide Open Source Community." — "Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced the openLiberty Project, a global initiative formed to provide resources and support to open source developers building identity-based applications. With today's news, Liberty Alliance has launched openLiberty.org, a portal where developers can collaborate in the openLiberty Project and access tools and information for 'jump starting" the development of more secure and privacy-respecting applications based on the widely deployed Liberty Federation and Liberty Web Services standards. The openLiberty Project was launched under the direction and leadership of the Liberty Alliance Open Source Special Interest Group. This group was formed to coordinate synergies among global open source initiatives and to identify the open source libraries developers need to build applications that interoperate with Liberty Federation, which consists of ID-FF 1.1, 1.2 and SAML 2.0, and Liberty Web Services, which consists of ID-WSF 1.0, 1.1, 2.0 and Liberty People Service specifications. Members of the group have identified the need to focus initially on delivering ID-WSF Web Services Consumer (WSC) libraries to allow open source developers to incorporate SAML 2.0 functionality into Web services applications. OpenLiberty.org is the first portal designed to serve as a comprehensive resource for the global open source community. OpenLiberty.org is where anyone interested in contributing to the architecture, design and development of the openLiberty Project will be able to participate in the project wiki, document repository and discussion lists. The portal will allow developers to access information about other relevant open source efforts, their relationship to the openLiberty Project and links to those efforts. Using a standard Apache licensing model, developers will have access to downloadable member contributed open source code for building applications based on standards from Liberty Alliance..."

  • [January 16, 2007] "Liberty Alliance Announces Products from CA, Entr'ouvert, Ericsson, HP, NTT, NTT Software, and Symlabs Pass Interoperability Testing." — "Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced that products from CA, Entr'ouvert, Ericsson, HP, NTT, NTT Software and Symlabs have passed Liberty Alliance testing. With today's testing results, nearly 80 identity products and solutions from vendors around the world have now passed Liberty Alliance testing for SAML 2.0, Liberty Federation and Liberty Web Services. 'Interoperability of identity products and solutions is key to the successful and wide scale deployment of federation, Web services, SOAs and social networking applications,' said Roger Sullivan, president of the Liberty Alliance Management Board and vice president of Oracle Identity Management. 'Vendors passing Liberty Alliance interoperability testing offer their customers assurances that products can interoperate from day-one and deliver real business value over the long-term.' Today's news marks the first time Liberty Alliance has tested vendors for interoperability of ID-WSF 2.0, the latest version of Liberty Web Services specifications which was released as final in October 2006. ID-WSF 2.0 includes Liberty People Service, the industry's first open Web services framework that allows consumers and enterprise users in any market segment to manage applications such as calendars, blogs, e-mail, instant messaging and photo sharing in a secure, privacy-respecting and trusted federated social network. Liberty Interoperable products are deployed extensively by governments and businesses worldwide. Organizations can trust that products that have passed Liberty Alliance testing will deploy quickly and can immediately interoperate with other Liberty-enabled technologies. During testing held in France the week of December 4, 2006, the products and services listed below demonstrated interoperability with one or more of the following standards, Liberty Federation, which consists of ID-FF 1.1, 1.2 and SAML 2.0, and Liberty Web Services, which consists of ID-WSF 1.0, 1.1, 2.0 and Liberty People Service specifications..."

  • [October 04, 2006] "Liberty Alliance Releases Final Version of ID-WSF 2.0 Web Services Standards." — "Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced the release of the final version of ID-WSF 2.0, the industry's most complete framework for building and managing privacy-respecting, secure and interoperable Web services and Service Oriented Architectures (SOAs)... The final release of ID-WSF 2.0 now includes additional support for open industry standards to allow developers, enterprises and system integrators to build successful Web services faster based on the widely deployed and proven interoperable Liberty Web Services standards. Today's release also includes Liberty People Service, the industry's first user-centric Web services protocol for managing a user's relationship network across social applications in a trusted, secure and privacy-respecting manner. The release of ID-WSF 2.0 includes Liberty People Service, the industry's first non-proprietary user-centric Web services framework to allow consumers and organizations to manage social and enterprise applications such as bookmarks, blogging, calendars, e-mail, photo sharing and instant messaging in a federated social network. With Liberty People Service individuals can easily store, maintain, and categorize online relationships with friends, family and colleagues so that other socially-aware Web services applications can leverage identity information based on the consent and privacy controls established by the user. Liberty's secure and privacy-respecting ID-WSF 2.0 provides organizations with a complete framework for deploying and managing interoperable, non-proprietary and trusted SOAs. Liberty Alliance is the only global identity organization that tests vendor products for true interoperability of identity standards. Nearly 75 products from vendors around the world have now passed testing since Liberty launched its Liberty Interoperable program in 2003. Gemalto, Epok, HP, Sun Microsystems, Novell, Nokia, NTT and Symlabs have passed testing for Liberty Web Services interoperability... Liberty Alliance regularly incorporates truly open standards into its identity specifications based on industry and member requirements for open and interoperable identity solutions. With the final release of IDW-SF 2.0, Liberty Web Services now offers increased support for SAML 2.0 to allow SAML 2.0 assertions to be used as security tokens; incorporates WS-Addressing to enable asynchronous messaging capabilities; features new subscription and notification capabilities to allow a push-model for attribute sharing; and supports identity tokens to provide a structured mechanism to refer to a user inside the network..."

  • [November 21, 2005] "Liberty Alliance Announces Latest Companies Passing SAML 2.0 Interoperability Testing. Products from IBM, NEC, NTT and RSA Security Join Liberty's Growing List of Interoperable Identity Solutions." - "The Liberty Alliance Project, a global consortium for open federated identity and Web services standards, today announced that products from IBM, NEC, NTT and RSA Security passed interoperability testing at Liberty's recent conformance event. These companies successfully demonstrated that their products meet interoperability standards for Liberty Federation and join nearly seventy other identity products and solutions from multiple vendors that have now passed Liberty interoperability testing. Liberty Alliance holds regular conformance events at varying locations around the world to test products for interoperability of Liberty identity specifications. After participating in a five-day testing event held in Tokyo earlier this month, IBM, NEC, NTT and RSA Security have demonstrated interoperability of products and solutions that incorporate Liberty Federation (Liberty ID-FF 1.2 and/or SAML 2.0) specifications. 'Liberty's Interoperable Program is about creating a global ecosystem of identity solutions that have been proven to work together in an open federated network environment,' said Roger Sullivan, chair of the Liberty Alliance conformance program and vice president of business development for Oracle's Identity Management. 'Since Liberty launched the program in 2003, identity products that have passed interoperability testing have been deployed extensively in a variety of industries and vertical market segments worldwide..."

  • [October 11, 2005] "Liberty Alliance Releases Business and Policy Guidelines for Deploying Federated Identity Management. Liberty's First Guidelines for Policy Decision Makers Addressing the Business, Legal, and Privacy Aspects of Federation." - The Liberty Alliance Project, a global consortium for open federated identity standards and identity-based Web services, has announced the release of business and policy guidelines for helping organizations address and manage the business, legal and privacy challenges of deploying federated identity management. The guidelines have been developed based on the experiences of Liberty members who have implemented federation and serve as a resource for accelerating the wide-scale deployment of federated identity solutions... With over one billion Liberty-enabled identities and devices expected globally by the end of 2006, Liberty has proven that the technology for deploying successful federation is in place. But Liberty also recognizes that in order to fully leverage the benefits of federation, technology alone is not enough. Policy decision makers need tools to help identify and manage the many business considerations involved in developing Circles of Trust, the legal and contractual frameworks governing federation between organizations. Liberty's Business and Policy Deployment Guidelines, developed by the Alliance's Public Policy Expert Group (PPEG), is the first of many tools and documents to come from Liberty to provide assistance with this decision framework. Liberty Alliance is the only global organization addressing the business, policy and technology aspects of identity management and the only identity-focused organization that has a Public Policy Expert Group, which provides advice and guidance on privacy functionality within Liberty specifications. PPEG member representatives from BIPAC, the US General Services Administration, Oracle, and Sun Microsystems spearheaded the development of the deployment guidelines by leveraging their work in open federated identity management...[Guidelines (PDF), cache]

  • [April 15, 2005] "Liberty Alliance Embraces SAML 2.0." By Jim Wagner. From InternetNews.com (April 15, 2005). "With the ink barely dry on the final Security Assertion Markup Language (SAML) 2.0 standard, officials at the Liberty Alliance are set to include the technology in its interoperability test bed Monday. The Liberty Interoperable Logo Program certifies software developers create products that interoperate with products from other vendors using a variety of specified profiles and schema. Officials at OASIS blessed the single sign-on technology for use in the industry Thursday. The technology fills in the gaps left by SAML 1.0, with improved metadata specifications to improve communications between companies using the technology within a federation, as well as new attribute profiles. Roger Sullivan, Liberty Alliance conformance expert group chairman and Oracle vice president for identity management solutions, said the organization has been working on getting SAML 2.0 into the interoperability program for some months... Several vendors have already included SAML 2.0 in their product line or are in the process of rolling out a version in the near future: Oracle, Computer Associates and RSA Security. Sullivan would not say which companies are going through the interoperability process, noting the identities of companies participating in the program are kept secret under non-disclosure agreements until several weeks after successful completion of the program. In order to gain program approval, the product must work with at least two other vendor implementations. The logo is good only for the specific version of the product that undergoes the testing, not the entire product line. According to officials, some 15 vendors and 30 products have already successfully participated in the program, the first in the industry to test and approve interoperability standards for federation, single sign-on and identity-based Web services..."

  • [April 12, 2005]   Liberty Releases Contact Book, Geo-Location, and Presence Interface Specifications.    The Liberty Alliance Project has announced the publication of three new identity management specifications that are deployable in Liberty's Identity Web Services Framework (ID-WSF). The Liberty ID-SIS Contact Book Service Specification, Liberty ID-SIS Geolocation Service Specification, and Liberty ID-SIS Presence Service Specification "offer new application functionality to enterprises and service providers, as well as privacy, personalization and security benefits to users." Liberty is an alliance of "more than 150 companies, non-profit and government organizations from around the globe, committed to developing an open standard for federated network identity that supports all current and emerging network devices. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information in today's digital economy, and is a key component in driving the use of e-commerce, personalized data services, as well as Web-based services." The Liberty ID-SIS Contact Book (ID-SIS-CB) specification defines a "common method for users to manage and share personal or business contacts regardless of contact book provider, enabling service providers to access or automatically update, at the user's request, information like billing or shipping address. ID-SIS-CB is an instance of data-oriented identity web service. It is characterized by ability to query and to update attribute data and incorporates from other specifications mechanisms for access control and conveying data validation information and usage directives. The Liberty ID-SIS Geolocation (ID-SIS-GL) specification provides "an interoperable way to automatically identify a person's location, at the user's request, to provide services like weather, news, travel or currency updates or directions to a chosen location. It is an instance of a data oriented identity web service. ID-SIS-GL uses the Liberty ID-WSF Data Services Template, and the geolocation-related data is mostly from the Mobile Location Protocol version 3.1 specified by the Open Mobile Alliance." The Liberty ID-SIS Presence Service Specification specification "defines a web service for presence information within the context of the Liberty Alliance project. It provides a common way for users to share presence information, such as whether they are online, offline, on the phone or in a meeting, with any service provider for the purpose of communicating availability. The core meaning of presence refers to a Principal's availability for communications over a network (phone, IM, video conference); 'extended' presence includes the Principal's proximity to or interaction with a user agent (e.g., 'away' or 'do not disturb'), activity (e.g., 'driving'), mood (e.g., 'grumpy'), and date/time ranges for availability."

  • [January 18, 2005] "Liberty Alliance Project Responds to RFI From U.S. Department of Health and Human Services. Consortium's Widely Implemented Specifications Focus on Privacy, Confidentiality and Security, Cited as Core Issues in Healthcare." - "Liberty Alliance, the global consortium for open federated identity standards and identity Web-based services, today announced that it had submitted a formal response to the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONCHIT) Request for Information (RFI) on 'Development and Adoption of a National Health Information Network.' The response was submitted on behalf of Liberty's 150-member base, and addresses possible methods by which widespread interoperability and health information exchange can be deployed and operated on a sustainable basis. Liberty also participated in a joint filing authored by 13 organizations, including the Markle Foundation, HIMSS, the AMIA, ANSI and a number of other organizations. Liberty's federated identity standards and business guidelines focus on privacy, confidentiality and security, offering the flexible, secure and open infrastructure that is required to support and manage online services and transactions that are necessary in healthcare. Liberty Alliance first introduced its specifications publicly in April 2002, and has since issued several additional revs of these specifications. The specifications have been implemented by organizations worldwide, and in fact it is estimated that there will be in excess of 400 million Liberty-enabled identities and devices by the end of 2005... ONCHIT issued the public RFI to obtain information that can be used to help develop a new vision for healthcare through the use of information technology, with the intention of developing a strategic plan to implement over the next 10 years. The initial RFI addresses the goal of interconnecting clinicians and the use of Electronic Health Records so that health information can be exchanged using advanced and secure electronic communication... Further to its healthcare focus, the Liberty Alliance will also participate in the HIMSS (Health Information and Management Systems Society) annual conference in Dallas, TX, Feb. 13-17, 2005. It will showcase a demonstration of its specifications in use in a healthcare setting, as well as present on the topic of 'Efficiency, Effectiveness and Regulatory Compliance in Healthcare: The Promise of the Liberty Alliance and Federated Identity Management'..." See also "XML in Clinical Research and Healthcare Industries."

  • [October 25, 2004] "Twelve Companies Earn Liberty Alliance Interoperable Logo at First Event to Test Identity Web Services Conformance." - "The Liberty Alliance, the global consortium developing an open federated identity standard and business tools for implementing identity-based services, today announced products and services from 12 companies have earned the Liberty Alliance Interoperable mark in the latest Liberty-sponsored conformance test — the first event to test against the Liberty Identity Web Services specification ID-WSF 1.0. The Liberty Alliance continues to be the only organization to offer more than simple specification interoperability testing and officially validate Liberty Federation and Identity Web Services implementations in products and services. Alcatel, Elios, IBM, NEC, Nokia, Novell, NTT, Oracle, Ping Identity, Sun Microsystems, Symlabs and Trustgenix have been awarded the 'Liberty Alliance Interoperable' mark. Following a rigorous testing process, conformant products may display the Liberty Alliance's highest stamp of quality, which offers buying assurances to end customers that products are truly interoperable out- of-the-box, shortening deployment cycles, increasing productivity and saving costs. 'Participants are responding to market demand for validation of quality and assurance of true interoperability,' said Roger Sullivan, vice-chair of the Liberty Alliance Conformance Expert Group. 'The conformance program offers vendors and service providers the opportunity to respond to the customer mandate for products and services that have earned the 'Liberty Alliance Interoperable' mark.' The Liberty conformance program requires that each company successfully complete tests against scripts and scenarios prepared by the Liberty Alliance Conformance Expert Group and published on the Liberty Alliance website. As part of the testing, companies must demonstrate interoperability with at least two other randomly selected participants. The program requires repeated operation of the Liberty specification's core features in many combinations and sequences and in different roles and contexts common to real-world deployments. The federation testing reviewed federation establishment and termination, single sign-on, opaque name registration, affiliation, identity proxying and anonymous login. The identity web services testing reviewed authentication, service registration and update, service lookup, service invocation and interaction. 'Liberty is pleased with the rapid adoption of its Identity Web Services specifications, and the response of both members and non-members who want to assure the market that their products will interoperate with these specifications out of the box,' said Donal O'Shea, Executive Director of Liberty Alliance. 'Companies who have earned the 'Liberty Alliance Interoperable' mark report that customers more easily create partnerships, in part because displaying the mark delivers instant market credibility and assures rapid deployment.' The conformance test event was held in Tokyo, Japan during the week of October 11-15, 2004..." General references in "Liberty Alliance Specifications for Federated Network Identification and Authorization."

  • [October 18, 2004] Liberty Alliance Continues Aggressive Growth, Expands Membership Base With Seven New Members. Liberty Identity Web Services Specifications Attract Key Players in Digital Imaging and Document Technology, Security and Telecom Markets." - The Liberty Alliance, the global consortium developing an open federated identity standard and business tools for implementing federated identity and identity-based Web services, today announced that seven organizations have joined Liberty Alliance, including leading identity management, application security, mobile and wireless security, telecommunications and research companies, as well as the world-leading digital imaging, design and document technology company. Three companies joined the Liberty Alliance at the sponsor level, one at the affiliate level, one at the associate level, and two previous members have re-joined at the associate level. New members have expressed significant interest in the Liberty Alliance Identity Web Services specifications to solve existing business needs, and plan to use the specifications for applications that are new to the Liberty Alliance, such as Digital Rights Management. Adobe Systems has joined the Liberty Alliance as a sponsor member, and plans to bring Liberty's benefits down to the document level. Working with the Liberty Alliance, Adobe will strengthen document security by adding federated identities, making it easier for businesses to employ document services for meeting compliance and regulatory mandates to protect individual privacy. Additional new sponsor members include OpenNetwork Technologies, specializing in end-to-end identity management solutions, and Senforce Technologies, developing location-aware security software for mobile and wireless computers. OpenNetwork seeks to remedy the key pain points of today's enterprises while helping companies capitalize on existing technology investments. Senforce recognizes the importance of a standards-based approach to federated authentication and seeks to actively contribute to building global awareness of privacy and privacy-friendly approaches. These new members bring to the Liberty Alliance a wealth of expertise in the identity management and mobile security markets, and demonstrate the Alliance's continued ability to attract industry leaders at a sponsor level. As industry leaders continue to understand that federation is the foundation to meaningful Web services, they seek out the Liberty Alliance as a forum to come together to build identity into electronic communications and transactions..." See also the added information about IBM joining Liberty Alliance. General references: "Liberty Alliance Specifications for Federated Network Identification and Authorization."

  • [October 19, 2004] "Liberty Alliance Captures Seven New Members." By Tony Hallett. In ZDNet News (October 19, 2004). "The Liberty Alliance, a far-reaching body working on identity standards for Web services, has signed up seven new members. At an event held in Tokyo on Monday, it announced that Adobe Systems, DAI-Labor, Deny All, M-Tech Information Technology, OpenNetwork Technologies, Senforce Technologies and Telewest Broadband are joining up. Web services require identity verification for benefits such as single sign-on. While the Liberty Alliance already includes a range of vendors, nonprofit organizations and users among its members, the latest backers cover many technology bases, including document- and location-aware security. It is notable that the group is now also talking about using its standards for applications such as digital rights management (DRM) — a vital future area for Microsoft, which holds key ground in the development of Web services. The Liberty Alliance Project also announced that it has hired a full-time executive director, longtime Silicon Valley information technology consultant and ex-IBM executive Donal O'Shea..." See also the announcement in preceding entry, with notice that IBM has also joined Liberty Alliance.

  • [June 29, 2004] "McNealy: Sun, Microsoft To Unveil Phase One of Partnership in Late Summer. Directory Interoperability for Single Sign-On Will Be Tackled First." By Elizabeth Montalbano. In CRN (June 29, 2004). "Sun and Microsoft plan to detail Phase One of their historic partnership in late summer, Sun Chairman and CEO Scott McNealy said Tuesday at JavaOne. The first phase of the partnership will be to 'solve single sign-on' and facilitate interoperability between the LDAP model of the directory and identity management products in Sun's Java Enterprise System and Microsoft ActiveDirectory, McNealy told attendees in his morning keynote at Sun's annual Java developer confab in San Francisco. Once Sun and Microsoft make their software interoperable, 'users can log into the network once without having to remember multiple passwords and have their authentication travel across software infrastructure from both Sun and Microsoft,' McNealy said. Applications that run on both systems also can take advantage of the same infrastructure for network identity. 'This should make for more efficient consumer and enterprise use,' he said. Enabling single sign-on for users across multiple Web sites, particularly for e-commerce users, has been a tricky issue. Sun and a group of partner companies initiated and supported the Liberty Alliance, which leverages the Security Assertion Markup Language (SAML) specification to enable single sign-on, while Microsoft for a time planned its own project, HailStorm, to collect user information and authenticate users across multiple sites. But users were uncomfortable with the idea of Microsoft owning all of their personal information, so HailStorm didn't fly as expected..."

  • [March 19, 2004]   Liberty's Federated Identity Project Supported by Intel and Six New Global Alliances.    The Liberty Alliance consortium has announced the formation of new relationships with six global alliances, and the addition of Intel Corporation to the Liberty Alliance Management Board. The new partner relationships will help Liberty address identity challenges in the security, financial, and mobile services sectors. Liberty is developing an open federated identity standard and business tools and guidance for implementing identity-based services. Standards organizations now working collaboratively with the Liberty Alliance include Network Applications Consortium (NAC), Open Mobile Alliance (OMA), Open Security Exchange (OSE), PayCircle, SIMalliance, and WLAN Smart Card Consortium. The forging of new global alliances by Liberty highlights the importance of federated identity as "a key enabler in everything from mobile payments and on-demand networking to integrating electronic and physical security systems." The Alliance also announced that Intel Corporation has joined the global consortium as "both a sponsor member and participating company on the Alliance's Management Board. As the newest member on the Management Board, Intel is one of fifteen (15) companies responsible for overall governance and operations of the Liberty Alliance. This new membership status will allow Intel the opportunity to work with the Liberty Alliance membership to assist in the creation and recommendation of future specifications and business tools in the area of federated identity."

  • [March 18, 2004] "Intel Joins the Liberty Alliance Project. Membership Underscores Intel's Commitment to Advance Open Standards Development." - "The Liberty Alliance Project today announced that Intel Corporation has joined the global consortium developing an open federated identity standard and business tools for implementing identity-based services, as both a sponsor member and participating company on the Alliance's Management Board. As a Liberty Alliance member, Intel will continue its efforts towards the evolution of additional devices that can take advantage of Liberty Alliance compliant infrastructure and services. Liberty's federated approach to identity management provides a standards-based foundation for identity networks and services. By identity-enabling systems and services, companies can increase security, create new efficiencies to cut internal IT costs, enable new business opportunities and make Web services more privacy friendly. Identities play a large role in the convergence between computing and communications, which is an evolution Intel has been driving for many years. Intel has worked hard to advance basic building blocks both at the silicon level as well as at the platform hardware/software level. Joining Liberty Alliance will help Intel continue to advance the development of identity standards that will become one of the basic building blocks for emerging computing and communications usage models. 'Authentication and identity management are critical to the success of new computer and communications usages,' said Colin Evans, Director System Software, Corporate Technology Group, Intel. 'Liberty Alliance brings together an exciting array of companies from many industries to define these standards and we are looking forward to working with our customers and member companies to make implementation a reality across all the hardware platforms we provide.' In addition, as the newest member on the Management Board, Intel is one of 15 companies responsible for overall governance and operations of the Liberty Alliance. This new membership status will allow Intel the opportunity to work with the Liberty Alliance membership to assist in the creation and recommendation of future specifications and business tools in the area of federated identity..."

  • [February 27, 2004]   Liberty Publishes Federated Identity Documents on Mobile Deployments and Identity Theft.    The Liberty Alliance Project has released two key federated identity documents. The Tier 2 Business Guidelines: Mobile Deployments document outlines "near-term market opportunities and business requirements for federated identity in the mobile market. The document examines how mobile operators, equipment providers, content and service providers as well as vendors and users can take advantage of the growth and demand for mobile services, and in turn, how Liberty's open standard can enable secure delivery of Web services. The Mobile Deployments guidelines address business issues that must be considered during planning and deployment, including: establishing mutual confidence and minimum quality standards; developing a comprehensive risk management strategy; defining liability and dispute resolution mechanisms; complying with agreed-upon standards and relevant legislation. A Whitepaper on Liberty Protocol and Identity Theft white paper "discusses identity theft and the related problem of identity management, showing how the Liberty Alliance Project addresses the current issue of identity theft through its specifications and through best practice implementation guidelines. Liberty specifications lower the risk of identity theft because of higher security and privacy standards. They limit the damage of identity theft caused to Principals because all their personal data is not concentrated in the same single site, and Principals control which sites can share what data." The Liberty Alliance represents more than 150 institutional members partnering to "develop open standards for federated network identity management and identity-based services. Its goals are to ensure interoperability, support privacy, and promote adoption of its specifications, guidelines and best practices."

  • [February 23, 2004] "Whitepaper on Liberty Protocol and Identity Theft." Edited by William Duserick (Fidelity Investments). February 20, 2004. 11 pages. See the announcement, "Liberty Alliance White Paper Outlines Federated Identity's Ability to Reduce Identity Theft." [cache]

  • [February 23, 2004] "Liberty Alliance White Paper Outlines Federated Identity's Ability to Reduce Identity Theft." - "The Liberty Alliance today announced the availability of a white paper calling out the growing problem of identity theft and detailing ways in which federated identity and Liberty's open standard can reduce online identity theft, its frequency and its potential impact on consumers. The white paper, The Liberty Alliance Protocol and Identity Theft White Paper, also presents deployment recommendations for federated identity as a means to further mitigate risks. Identity theft is a widespread and costly problem. Research analyst firm IDC reports that worldwide economic losses due to identity theft could reach $2 trillion by 2005 (April 2003). It's not only costly, it's time-consuming and a productivity drain on the economy. A U.S. Federal Trade Commission survey reports that in 2003 individuals spent an average of 30 hours to deal with their identity theft experience. 'Identity theft is extremely painful to consumers and very costly for businesses,' said Piper Cole, chair of Liberty's public policy expert group and vice president for global public policy at Sun Microsystems. 'It is costing merchants billions a year in charge-back fees and litigation and they are in need of an immediate solution to alleviate the bleed. Liberty's federated identity framework is a part of that solution.' Liberty's federated identity model, which distributes identity information across various trusted parties, is inherently more secure than a centralized model where all information is accessible in one location. If a centralized database is breached, the entire content of that database can be a goldmine for hackers and thieves. In addition to the federation safeguards, Liberty's framework also incorporates unique privacy controls and state-of-the-art security mechanisms to protect users and businesses..."

  • [November 12, 2003] "Sun's Java Enterprise System Provides Immediate Support for Next Generation of Liberty Alliance Specifications. Sun Java System Identity Server Delivers Support for Liberty Alliance Phase 2 Specification for Secure Federated Identity. Early Access Available for Qualified Customers." - "Sun Microsystems Inc., a founding member of the Liberty Alliance Project, today announced that its market-leading Java System Identity Server is the industry's first commercial product from a software platform vendor to support the Liberty Alliance Phase 2 specifications. This support expands the broad functionality of the Sun Java System Identity Server, a key component of the Java Enterprise System, further enabling the deployment and adoption of secure and federated identity-based Web services to fixed and mobile users' devices. 'Open standards are fundamental to the development of secure, federated identity solutions and Web services. Expanding on our support for the Liberty Alliance specifications will help our customers deliver mobility with security -- the right services to the right people at the right time on any device,' said Jonathan Schwartz, executive vice president of software for Sun Microsystems. 'Identity is a critical component for secure delivery and deployment of the network services that help our customers gain a competitive advantage in an ever-changing marketplace.' The integrated identity services of the Java Enterprise System -- access management, directory, provisioning and delegated administration -- provide the best offering for customers to reap the benefits of federated network identity. The Java Enterprise System allows Sun customers to leverage functionality of the current and future Liberty specifications through the Java System Identity Server. Early access to the Java System Identity Server's latest Liberty functionality is available for qualified Sun customers today... The Java System Identity Server was the industry's first commercial-grade identity management solution to support both SAML and the Liberty Phase 1 protocols. Sun is the first software platform vendor to support the Liberty Phase two specifications. The J2EE-based architecture of Java System Identity Server makes it the preferred developer solution for 'identity-enabling' mobile and data Web services. Java System Identity Server uses role-based access control mechanisms to centrally create and manage users, delegate user administration, and define the access policies for users on intranets and extranets... The Liberty Phase 2 specifications are critical for deploying an effective federated identity infrastructure. Expanding upon the Phase 1 specifications, which allow for cross-domain single sign-on, these new specifications add support for cross-domain attribute exchange and a foundation for Liberty-based Web services. A federated identity architecture allows an authenticated identity to seamlessly take part in targeted Web services from multiple organizations or Web domains that have business agreements in place. This brings greater efficiencies for employee identity management, creates new market and revenue opportunities between business partners, and increases the end-user's control over identity information while facilitating their access to valuable Web services..."

  • [October 17, 2003] "M-Commerce, Certifications Next for Liberty Alliance. Federated Network Identity Effort Proceeds." By Paul Roberts. In InfoWorld (October 14, 2003). "Single sign-on standards group the Liberty Alliance Project said Tuesday that it was taking over the work of European mobile computing standards group Radicchio Ltd. and that it will unveil a program to certify products and services for compliance with the Liberty Alliance's federated network identity standards. The announcements come as the trade group looks for ways to increase adoption of Liberty specifications and build a secure foundation for the growth of mobile and wireless transactions... Radicchio is a U.K.-based cross industry group that was created in 1999 to foster a secure platform for conducting transactions using mobile devices such as cell phones and PDAs (personal digital assistants). The group developed a platform called the 'Trusted Transaction Roaming platform,' or t2r, for authenticating mobile device users across different mobile networks. The t2r platform was recently submitted to the European Commission for evaluation. Under an agreement, which is still being negotiated, t2r will be transferred to the Liberty Alliance Project along with any other specifications and assets belonging to Radicchio, according to a statement released by Radicchio Tuesday at the ITU Telecom conference in Geneva. Once the transfer is complete, Radicchio will discontinue operations, according to James van der Beek, senior manager of strategy at Radicchio member Vodaphone Group. The t2r platform uses the Liberty Alliance's Federated Identity Architecture, Radicchio said in its statement. The decision to fold Radicchio, which counts leading IT players including VeriSign, Telefonaktiebolaget LM Ericsson, Vodafone and Orange as members, grew out of the realization that the challenge of mobile commerce was converging with that of verifying user identity, Van der Beek said. 'Identity impacts everything and the Liberty Alliance is the place to handle identity,' he said. The merger also fits with the Liberty Alliance's focus on a new generation of identity services, according to Simon Nicholson, chairman of the Business and Marketing Expert Group at the Liberty Alliance and a manager of strategic initiatives at Sun Microsystems. Inheriting the t2r platform will give the Liberty Alliance a head start developing standards for mobile payment and wallet services, Nicholson said. 'It's a logical next step for the Liberty Alliance to solve those future problems,' he said. The Liberty Alliance is also launching a certification program to make sure single sign-on software products and services adhere to the group's published guidelines and interoperate with other Liberty products..."

  • [October 15, 2003] "Liberty Alliance Unveils Certification Test. Certification to Assure Buyers that ID Management Products Work Well Together." By Mark Willoughby. In ComputerWorld (October 15, 2003). "The Liberty Alliance Project this week announced a certification test designed to ease concerns about interoperability between products in the fast-growing identity management market. The certification includes the Liberty Interoperability Logo to assure buyers that a vendor's products have passed a battery of tests designed to prove that users can federate and support single sign-on using authentication, authorization and provisioning layers from different identity management products. 'We have well over two dozen Liberty-compliant products shipping,' said Michael Barrett, president of the Liberty Alliance management board and vice president of Internet strategy at American Express Co. 'With the growing maturity and adoption of the alliance's specifications, our work needs to focus now on alleviating the business complexity of implementing identity federation. 'This assists the buyer in knowing that the products will work with one another if they buy logoed products,' he said. The Liberty Alliance is a group of more than 170 vendors and end-user companies formed in 2001 to develop industry standards for identity management and identity-based services. The test announcement took place at the Digital ID World exhibition here. The Liberty Alliance is one of several bodies now working on setting identity management standards. Barrett downplayed any rivalry with the Web Security Federation (WS-Federation), a group led by Microsoft and IBM that has been issuing security standards to secure Web services. Each of the two groups submits technologies for security industry standards under the auspices of the Organization for Structured Information Standards (OASIS)... 'We've adopted parts of the WS-Security specifications into Liberty standards,' said Simon Nicholson, chairman of the Liberty Alliance business and marketing group. 'We're waiting to hear from the other parties.' According to Roger Sullivan, CEO of Phaos Technologies and the head of the Liberty Alliance certification team, the tests will reproduce a real-world identity federation problem... The first test is planned in Madrid for November 11-14, 2003, with plans to hold one test each quarter in a different country." See the announcement: "Liberty Alliance Launches Certification Program for Liberty-Interoperable Products and Services. Initiative Ensures Product Compatibility to Help Increase Buyer and Partner Confidence in Identity Management Products and Services."

  • [October 14, 2003] "Radicchio to Submit M-Commerce and Security Standards Work to the Liberty Alliance Project." - "Radicchio Ltd. and the Liberty Alliance Project announced today that Radicchio, a cross-industry initiative for secure m-commerce, will contribute all its existing work in the area of mobile data services to the Liberty Alliance for further development. The move will provide the Liberty Alliance, an organisation developing an open standard for federated network identity, further expertise in the mobile and European markets, as well as additional resources. It will also help speed development of a secure standard for authenticating and sharing identity-based data services across mobile networks around the globe. Radicchio, formed in 1999 to advance the potential of mobile e-commerce and mobile security, has worked in concert with its members, a number of partners in the mobile industry, the Liberty Alliance and regulatory and standardisation organisations like the European Commission and ETSI to develop the 'Trusted Transaction Roaming' platform. Radicchio's newly developed platform, a method for securely authenticating mobile users across different mobile networks, already utilises the Liberty Alliance Federated Identity Architecture, and will continue to be supported within the Alliance. 'During our work we quickly learned identity and authentication is key to security and mobile services,' said Stefan Engel-Flechsig, Radicchio CEO. 'Our work was becoming more identity-related and the Liberty Alliance is the natural and universal place for conversations, concepts and standards around identity to develop.' The consolidation of Radicchio's work within the Liberty Alliance will also help Radicchio's member base, many of whom are also part of the Liberty Alliance. Engel-Flechsig continued, 'There are numerous standards developments occurring simultaneously which is a strain not only on the those who must implement the standards but on the members involved in standards development as well. Because of the Alliance's strong support and our shared membership, we feel this is the best place for our work to continue.' [...] Radicchio's new Trusted Transaction Roaming platform is a concept for securely authenticating mobile users across networks for offering data services. The platform will allow service providers to be able to offer data services to other network operators' customers providing more value to their own customers and offering customers a wider choice of services without leaving their existing operator network..."

  • [July 08, 2003]   Liberty Alliance Publishes Business Requirements and Guidelines for Identity Federation.    The Liberty Alliance Project has released Business Guidelines: Raising the Business Requirements for Wide Scale Identity Federation, described as the first in a series of documents the Alliance is developing to provide global businesses guidance on deploying federated identity solutions. The purpose of the document is to "identify the general business considerations that must be addressed by any organization exchanging identity information beyond company boundaries in today's complex federated identity environment." Four principal business requirements identified as critical to identity federation are highlighted in the Business Guidelines: "(1) Mutual confidence: the processes and tasks business partners must undertake to set minimum quality requirements, certify the other party has met those requirements, and manage the risk of exposure; (2) Risk management: the best practices and procedures business partners must identity to guard themselves from losses due to identity fraud, losses due to the exposure of identity information, and loss of business integrity due to insecure processes or data; (3) Liability assessment: the process for determining in a networked environment what parties will bear which losses, under what circumstances and how to resolve disputes; (4) Compliance: the alignment with agreed-upon standards, policies and procedures and how that compliance is governed, including compliance with local privacy requirements. Liberty Alliance plans to introduce future documents aggregating major business issues and informational sources that will guide federated identity implementations in vertical (i.e., healthcare, financial services), regional (i.e., Japan, Germany) and industry scenarios (i.e., B2B, B2C mobile). The next set of documents is expected to be available by end of 2003."

  • [June 02, 2003] "Federated Identity Management Addresses E-Business Challenges. Industry Commentary." By John Worrall (RSA Security) and Jason Rouault (Hewlett-Packard); RSA and HP are founding members of the Liberty Alliance Project. In Web Services Journal Volume 3, Issue 6 (June 2003), page 58. "A single organization cannot effectively manage or control an e-business initiative from beginning to end, especially when multiple partners are involved. Even within the enterprise, different business units often manage distinct sets of users and resources. That's why organizations are turning to federated identity management to address their e-business challenges. In a federated environment, a user logs on through his identity provider and then leverages that authentication to easily access resources in external domains. Federated identity standards form an abstraction layer over local identity and security environments of diverse domains. This abstraction layer provides for interoperability between disparate security systems inside and across domains, enabling true federation. Each domain maps to the agreed-upon policies without divulging sensitive user information. This trust is the foundation of any federated environment, and the organizations that work together within a domain are a circle of trust. A circle of trust connotes that both a business relationship and technical infrastructure are in place to assure secure access. The Liberty Alliance is developing and delivering the first open architecture and specifications to enable federated identity management. At its core is the Identity Federation Framework (ID-FF), which facilitates identity federation and management through features such as identity/account linkage, single sign-on, and session management. ID-FF is fundamental to underpinning accountability in business relationships and Web services; providing customization to user experience; protecting privacy; and allowing adherence to regulatory controls. The Liberty Alliance is also specifying an Identity Web Services Framework (ID-WSF) that will utilize the ID-FF. This framework introduces a Web services-based identity service infrastructure that enables users to manage the sharing of their personal information across identity and service providers as well as the use of personalized services. For example, a user may authorize a service provider to access their shipping address while processing a transaction. Built on top of the ID-WSF is a collection of interoperable identity services, the Identity Services Interface Specifications (ID-SIS). The ID-SIS might include services such as registration, contact book, calendar, geo-location, presence, or alerts. Through Liberty protocols and a standard set of attribute fields and expected values, organizations will have a common language to speak to each other and offer interoperable services. The services defined in the ID-SIS are designed to be built on top of Web services standards, meaning they are accessible via SOAP over HTTP calls, defined by WSDL descriptions, and use agreed-upon schemas... The Liberty Alliance unites more than 160 firms representing more than 1 billion consumers. Organizations like this will continue to strive to achieve digital identity standards that will facilitate e-business processes around the globe..." [alt URL]

  • [April 15, 2003] "Liberty Alliance Moves Ahead." By Peter Judge. In CNET News.com (April 15, 2003). "Proponents of the Liberty Alliance Project, a group developing online identity standards, provided details Tuesday of their Phase Two specifications and demonstrated new features. Liberty held its first public interoperability demonstration at the RSA Conference here with four different applications on display, built with Liberty 1.0 technology from some twenty vendors. The group also released a draft of its Phase 2 specifications, which are expected to become finished standards later this year. 'We've added permissions-based attribute sharing and other features,' said Michael Barrett, president of the Liberty management board and vice president of Internet strategy at American Express. The second version of the Liberty specification maps a way for Web users to exchange information with Web sites without revealing their identity. It is also designed to allow people to specify a set of affiliated sites onto which they can log. The demonstrations of Liberty 1.0 technology focused on transactions between business and among employees. In one, led by Communicator, an employee was allowed access to several financial services after signing into a single identity server within his company. In another, led by Novell, an employee accessed her pensions and retirement information from external sites through the corporate intranet without having to repeatedly log in. American Express is likely to launch this kind of service soon, hinted Barrett. 'I won't preannounce anything, but we believe there are a number of opportunities.' [...] Beyond the Phase 2 specifications, there will be further enhancements to Liberty's online ID efforts, including more work on policy, said Barrett. In the future, its specifications will be linked more closely with Web services, which are applications that use Extensible Markup Language (XML)-based protocols to share information between disparate systems. 'Identity is at the heart of the Web service story,' he said. In related news, the Liberty project announced several new members, including Ericsson, bringing the total up to 160. Interest in the specifications comes from all over the world, with companies from the Pacific Rim showing increasing attention..."

  • [April 14, 2003] "Liberty Alliance Contributes Phase 1 Network Identity Specifications to OASIS for Consideration in SAML 2.0." - "The Liberty Alliance Project and OASIS today announced that the Liberty Alliance has contributed its version 1.1 federated network identity specifications to OASIS. The OASIS Security Services Technical Committee requested Liberty's contribution to permit possible incorporation of Liberty version 1.1 specification features in future versions of the OASIS Open Standard Security Assertion Markup Language (SAML). SAML, an XML-based security framework for authentication and authorization in Web services, serves as a key underpinning to the Liberty Alliance federated network identity architecture. In keeping with Liberty Alliance's philosophy to leverage existing open standards whenever possible and build new functionality only if needed, the Alliance incorporated SAML into its Phase 1 specifications introduced in 2002. The Liberty Alliance chose to extend SAML in version 1.1 to include additional security enhancements vital to identity management, such as opt-in account linking, simple session management and global log-out capabilities. For the benefit of SAML and Liberty implementers and the industry as a whole, Liberty Alliance is providing those extensions back to OASIS for future versions of SAML... 'Collaboration between standards groups enables the Web services industry to move forward at a pace that meets the needs of the market,' said Patrick Gannon, president and CEO of OASIS. 'As SAML evolves, it makes sense to leverage the work Liberty Alliance has already done in this area. Our mutual goal is to decrease time-to-market for new technology, enhance interoperability between products and drive broader adoption of open standards.' 'We will continue to work closely with OASIS as the Liberty Alliance federated identity architecture evolves,' said Michael Barrett, president of the Liberty Alliance Management Board and vice president for Internet strategy at American Express. 'The Alliance will continue to develop Liberty's Identity Federation Framework within the consortium, and plans to collaborate closely with OASIS on future enhancements'..." See also "Security Assertion Markup Language (SAML)."

  • [April 11, 2003] "Liberty Alliance Submitting Spec to OASIS. Turning Work Over to Standards Body for First Time." By John Fontana. In InfoWorld (April 11, 2003). "Liberty will announce at next week's RSA Conference that the first phase of its work, which was completed in June 2002 and updated in January, will be turned over to the Organization for the Advancement of Structured Information Standards (OASIS). The first phase, which was renamed Identity Federation Framework (ID-FF) in March, is basically Liberty's Version 1.1 specification that outlines single sign-on and account sharing between partners with established trust relationships. The Liberty move may be a reaction to IBM Corp. and Microsoft Corp., who are not Liberty members, but are trying to create their own federated identity management framework built on WS-Security, an evolving Web services standard they created and submitted to OASIS... Draft specifications for Liberty's second and third phases of work, which now incorporate the WS-Security protocol for securing Web services messages, also will be introduced at RSA and will outline how to build a permission framework and sets of services for user identities that can be shared across the Internet. The second phase of Liberty 's work, called Identity Web Services Framework (ID-WSF), will allow islands of trusted partners to link to other islands of trusted partners and provide users with the ability to control how their identity information is shared. Phase 3, called Identity Services Interface Specifications (ID-SIS), will build services on top of ID-WSF. The two draft specifications are not being submitted to OASIS at this time but will be opened to the usual public review. 'I think it is significant that Liberty is ready to open up to a wider world than its own group,' says Prateek Mishra, co-chair of the Security Services technical committee at OASIS and director of technology and architecture at Netegrity, a Liberty Alliance member. Liberty 's Version 1.1 specification will become a foundation document to help create Version 2 of OASIS's Security Assertion Markup Language (SAML), according to sources. SAML 1.0 is a standard for exchanging authentication and authorization information and is incorporated into and extended by Liberty 's Version 1.1. The hope is that ID-WSF and ID-SIS will eventually extend SAML 2.0 to create a single standards-based environment for federated identity and sharing of identity credentials..." See also "Security Assertion Markup Language (SAML)."

  • [April 01, 2003] "The Liberty Alliance." By Paul Madsen. From WebServices.xml.com (April 01, 2003). "For the consumer or employee, federated identity will mean a far more satisfactory on-line experience - as well as new levels of personalization, security, and control over their identity information. The existence of such an infrastructure will open up new business opportunities, including providing economies of scale that lower business costs and expedite the growth of the Internet and e-commerce. Making this happen is what the Liberty Alliance Project is all about... Liberty's first phase focused on enabling simplified sign-on through identity federation -- this work is referred to as the Liberty Identity Federation Framework (ID-FF). The Liberty Phase 2 specifications (expected in mid-2003) will build on this base to provide key features for enhancing identity federation and enabling interoperable identity-based web services. This upcoming work is known as the Identity Web Services Framework (ID-WSF). The Liberty Phase 1 specifications released in July 2002, and updated in January 2003, provide the plumbing for federated identity management. These specifications, called the Liberty Alliance Identity Federation Framework (ID-FF), provide standards for simplified sign-on and federation or 'linking' among disparate accounts within a group of businesses that have already established relationships. The Liberty Phase 2 specifications, which are expected in mid-2003, will enhance Liberty's Identity Federation Framework and introduce the Liberty Alliance's Identity Web Services Framework (ID-WSF). This Web Services Framework outlines the technical components necessary to build interoperable identity-based web services that meet specific business needs and also protect the privacy and security of users' shared information. Phase 2 also includes the introduction of Liberty Alliance Identity Services Interface Specifications (ID-SIS), a collection of specifications built on the Liberty Identity Web Services Framework. These specifications will provide a standard way for companies to build interoperable services like registration profiles, contact books, or calendar, geo-location or alert services. The first service interface specification to be introduced is the ID-Personal Profile, which will define a basic profile template that can be used to build a registration service. As it did for Phase 1 ID-FF, XML will play a key role in Liberty's ID-WSF and subsequent phases. For instance, to enable the permission-based attribute sharing necessary for Web-based identity services that enable users to control their data, there will need to be XML schemas for capturing a users core profile (e.g., their shipping address, their cell phone number, etc), and a protocol for requesting such profile information..."

  • [March 25, 2003] "Phaos Releases Toolkit to Meet Liberty Alliance 1.1 Specifications, Increases Liberty Alliance Involvement as Sponsor Member. Phaos Technology Enables Java Developers to Adhere to Updated Sign-on Authentication and Authorization Specifications." - "Phaos Technology Corp., a leading global provider of cross-platform e-Security services and software tools to empower Internet applications, today announced the release of the Phaos Liberty Toolkit to enable developers to build applications that meet the newly established Liberty Alliance 1.1 specifications as well as the Company's membership as a sponsor member in the project. As a sponsor member, Phaos will participate in the policy, marketing and technology committees of the program. The Liberty Alliance strives to support the development, deployment and evolution of an open, interoperable standard for federated network identity. The Liberty Alliance 1.1 specifications are an important element for the upcoming Liberty Alliance Phase 2 specifications, which introduce the Identity Web Services Framework (ID-WSF). ID-WSF outlines the technical components necessary to build interoperable identity-based Web services that meet specific business needs and also protect the privacy and security of users' shared information. By keeping in-step with the specifications as they are ratified, Phaos enables Java developers to immediately begin building applications that adhere to the sign-on authentication and authorization specifications set by the Liberty Alliance. With the Phaos Liberty Toolkit, Java developers can rapidly build applications that enable single sign-on capabilities, support the consolidation of enterprise authentication schemes and allow the migration from legacy infrastructure to XML-based Web services. The Phaos Liberty Toolkit provides integrated message security (XML digital signatures and XML encryption) and channel security (SSL/TLS), and provides stronger privacy and identity protection mechanisms by seamlessly integrating with smart cards and hardware security modules. Dynamic and scalable performance acceleration using cryptographic/SSL accelerators is also supported..."

  • [March 24, 2003] "The First Taste of Liberty. Sign On Once, Log In Everywhere." By Frank Sommers. In Java World (March 21, 2003). "Prompting a user to separately log into closely affiliated Websites creates an awkward user experience. Web services that rely on one another may not even permit separate logins since they must operate without human intervention. The Liberty Alliance Project specifications provide a single sign-on mechanism for both Websites and Web services. This article explores how Liberty helps federate a user's identities from different service providers and uses that federated network identity to authenticate a user to many Web-accessible services. The article concludes with an example of how two Websites can use single sign-on... Being able to sign on once and log in everywhere may appear to your Website's or Web service's users as magic. But, as this example shows, there is no magic to single sign-on. It's a matter of following the Liberty protocols' message exchanges and trusting authentication decisions issued by an identity provider. The more Websites you must interact with that support Liberty, the more common the single sign-on experience becomes. Currently, only Sun Microsystems' Sun ONE (Open Network Environment) product line supports the Liberty protocols, but Liberty is fast gaining industry support, and dozens of companies have announced plans to Liberty-enable their products and e-commerce Websites. The forthcoming Liberty 2.0 specifications will address issues beyond single sign-on and identity federations -- for instance, they may let you share a user's preferences and other user-specific data as well. While eliminating duplicate login and data entry forms are sure to please your Website's or service's users, introducing Liberty into your Website or Web service architecture can cut down on what surely must be the biggest annoyance in a development project: duplicating functionality. That's because Liberty can help you factor out authentication roles, on the one hand, and services that are consumers of authentication-produced information, on the other. That way you could maintain just one service (or servlet) acting as an identity provider, and your other services can rely on that identity provider's authentication assertions. Instead of developing some application-specific way to exchange security assertion information, Liberty allows you to depend on SAML data structures. As you add services to your infrastructure, those new services can leverage what's already available..."

  • [March 11, 2003] "Introduction to the Liberty Alliance Identity Architecture." From the Liberty Alliance Project. Revision 1.0. March, 2003. 14 pages. Abstract: "This paper provides a brief overview of the Liberty Alliance's federated network identity management architecture. The Liberty Alliance's vision is one of a networked world in which individuals and businesses can more easily interact with one another, while respecting the privacy and security of shared identity information." From 'What is Identity?': "...The traits, attributes, and preferences that define individuals make up their identity, while the relationship of the individual with an entity determines which elements of the identity should be shared. This maintenance of privacy and identity control is paramount in the Internet world, yet users also demand ease-of-use and rapid access. What is the best way to balance the two needs? By establishing a federated network identity that links the various user identities together. A federated network identity delivers the benefit of simplified sign-on to users by granting rapid access to resources to which they have permission, but it does not require the user's personal information to be stored centrally. This increases security and delivers better identity control. With a federated network identity approach, users authenticate once and can retain control over how their personal information and preferences are used by the service providers. A federated network identity is also beneficial for businesses because it allows them to more easily conduct business transactions with authenticated employees, customers and partners. The group of service providers that share linked identities and have business agreements in place is known as a circle of trust. The attribute sharing policies within a circle of trust are typically based on the following: (1) A well-defined business agreement between the service providers; (2) Notification to the user of information being collected; (3) User granting consent for types of information collected; (4) Where appropriate, recording both notice and consent in an auditable fashion..." From the posting of Michael Barrett: "We are pleased to announce today the public availability of a white paper detailing the architecture for the Liberty Alliance work and specifications... The new identity architecture outlines the direction Liberty will follow to accomplish its vision of enabling a networked world in which individuals and businesses can more easily interact with one another while respecting the privacy and security of shared identity information. This document and the thinking behind it has already proven to be of great interest to the press and analyst community that has been briefed on our work, and we trust it will be equally interesting to you as you continue to explore the Liberty Alliance. This document and the roadmap for the Liberty Alliance will be a major item of discussion at the upcoming All Participant's Meeting for the Liberty Alliance to be held in San Francisco, April 14, 2003. If you haven't yet joined the Alliance but would like to start taking a more active role, this might be an opportune time for your organization to join. If you would like more information on Liberty Alliance membership please visit [the Liberty Alliance website]..." [cache]

  • [March 11, 2003] "Liberty Alliance Project Completes Federated Network Identity Architecture." - "The Liberty Alliance, a consortium formed to develop open standards for federated network identity, today released details outlining the Liberty Alliance Federated Network Identity Architecture, a complete infrastructure that the Alliance expects will resolve many of the technology issues currently hindering deployment of identity-based web services. This new identity architecture outlines the direction the Liberty Alliance will follow to accomplish its vision of enabling a networked world in which individuals and businesses can more easily interact with one another while respecting the privacy and security of shared identity information. The architecture and features of current and upcoming Liberty specifications are detailed in the white paper titled Introduction to the Liberty Alliance Identity Architecture, now available on www.projectliberty.org... The complete Liberty Alliance federated network identity architecture provides an open, standards-based foundation for building and supporting identity-based web services. The architecture enables companies to increase the security of their information systems, lower infrastructure maintenance costs, and more easily adapt to new business models and new technology. Consumers and employees will also benefit by having more choice and convenience in how they share and manage personal information over the web... The specifications released in Phase 1 in July 2002, and updated in January 2003, provide the plumbing for federated identity management. These specifications, called the Liberty Alliance Identity Federation Framework (ID-FF), provide standards for simplified sign-on and federation or "linking" among disparate accounts within a group of businesses that have already established relationships. Businesses, governments and other organizations can use this commonly accepted architecture to build their own interoperable products and services... Phase 2 of the Liberty Alliance specifications, which are expected in mid-2003, will enhance Liberty's Identity Federation Framework and introduce the Liberty Alliance's Identity Web Services Framework (ID-WSF). This Web Services Framework outlines the technical components necessary to build interoperable identity-based web services that meet specific business needs and also protect the privacy and security of users' shared information. Phase 2 also includes the introduction of Liberty Alliance Identity Services Interface Specifications (ID-SIS), a collection of specifications built on the Liberty Identity Web Services Framework. These specifications will provide a standard way for companies to build interoperable services like registration profiles, contact books, or calendar, geo-location or alert services. The first service interface specification to be introduced is the ID-Personal Profile, which will define a basic profile template that can be used to build a registration service. The Liberty Alliance is not a service-provider, so these specifications will offer a method to standardize the interface for exchanging data between different systems, not to standardize the service itself..."

  • [March 06, 2003]   Government Agencies Join Liberty Alliance to Support Digital Identity Standards.    Liberty Alliance has announced support from two key U.S. government agencies that are looking to the open Liberty Alliance Project to address digital identity challenges. The U.S. General Services Administration (GSA) and the U.S. Department of Defense (DoD) "have joined the Liberty Alliance in its pursuit to develop open and interoperable standards for electronically managing identity information. The GSA and DoD join other Liberty Alliance members from both the private and public sectors, representing various countries around the world. The global collaboration of government organizations, corporations and consumer interest groups will prove invaluable to helping solve the complex technical and business issues associated with network identity that the Liberty Alliance is currently working to address."

  • [February 19, 2003] "Identity Systems and Liberty Specification Version 1.1 Interoperability." Edited by Paul Madsen. A Liberty Alliance Technical Whitepaper. February 14, 2003. 15 pages. Document Description: Liberty and 3rd Party Identity Systems White Paper-07.doc. "Today, most enterprises, government entities and non-profit organizations have substantial investments in processes and infrastructures to maintain the integrity of their business systems. Much as the Internet has provided access to sources of information and the need to track in more detail the activities of members of these organizations, sharing electronic information about users of information is rising in the minds of the management ranks of these organizations. This has spawned the need to create circles of membership in groups that can validate identities of the consumers of information. As a result, new organizations are being formed by various profit, non-profit and governmental groups to address this need. The solutions that are being put forward by these groups provide opportunities to choose or integrate with a new class of service provider called the Identity Manager. This white paper seeks to address some of the emerging Identity Management technical approaches and how the latest version of Liberty Alliance Project specifications can co-exist with these other technical approaches. It is targeted to technical architects, project managers and other evaluators who are involved in building and maintaining identity applications and infrastructures... Network identity refers to the global set of attributes that are contained in an individual's various accounts with different service providers. These attributes include information such as names, phone numbers, social security numbers, addresses, credit records and payment information. For individuals, network identity is the sum of their financial, medical and personal data -- all of which must be carefully protected. For businesses, network identity represents their ability to know their customers and constituents and reach them in ways that bring value to both parties... Federated network identity and the infrastructures are driven by more than specifications alone. Liberty understands that all organizations will have multiple identity managers -- public, private or proprietary -- with whom it will have to coexist. Liberty Alliance is working to ensure that its specifications and deliverables will work with other existing and emerging organizations that will certify or authenticate network identity, most specifically in federated circles of trust..." See also the earlier 2003-02-07 reference "Liberty Alliance Releases ID Management Specification. White Paper Explains Possible Interoperability." [cache]

  • [February 13, 2003] "Repositioning the Liberty Alliance." By The Butler Group. In Sun ServerWorld Online (February 13, 2003). OpinionWire. ['The Liberty Alliance is working to change the impression that it is an antagonist to Microsoft's Passport.'] "To date, successful Single Sign On (SSO) implementations have been few and far between. The main obstacle is the lack of interoperability between proprietary vendor technologies, especially in an e-business setting; applications often cannot talk to each other, and the exchange of session data between sites is still a common issue in many Business-to-Business (B2B) settings. Similar problems exist for consumers, who must typically sign in manually to each e-commerce site they choose to visit. Commercial interests presumes that by eliminating the need to sign in to each such site through provision of SSO, where the user's credentials travel with him or her, consumers will enjoy a more rewarding Web experience and sales volumes will rise accordingly. Until recently, the highest profile SSO initiatives have been Microsoft's .NET Passport and the Liberty Alliance specification, which is backed by a consortium of various industries, and the positioning of the two has often been more confrontational than cooperative. However, the Alliance is trying to change this point of view. It has recently released a white paper [see above, "Identity Systems and Liberty Specification Version 1.1 Interoperability"] detailing how its federated identity management system can be deployed to interoperate with third-party SSO systems, including Microsoft's Passport. The paper is intended to more clearly position the role of the Liberty Alliance 1.1 specification as part of a much wider framework, and most importantly, as being able to interoperate with a wide range of industry practices and protocols. An important element of the Liberty specification is its use of Secure Access Markup Language (SAML), an emerging security protocol that the Alliance is supporting with extensive developmental resources. SAML makes use of authentication tokens that can be exchanged between remote sites and applications in order to verify the identity of any given user, rather than depending upon any one vendor's proprietary technology. In theory at least, this should reduce many concerns about buying in to the 'wrong' technology, which has been a serious inhibiting factor for many organizations that wish to implement SSO solutions..."

  • [February 07, 2003] "LibertyAlliance Releases ID Management Specification. White Paper Explains Possible Interoperability." By Paul Roberts. In InfoWorld (February 07, 2003). "Amid growing concern that it is being overshadowed by Microsoft's .Net Passport technology, The Liberty Alliance Project released a new specification Thursday to explain how the organization's federated identity model might one day coexist with Passport and other identity management systems. The technical white paper, entitled 'Identity Systems and Liberty Specification version 1.1 Interoperability,' compares and contrasts the consortium's federated identity model against .Net Passport, Verified by Visa, and other third-party authentication systems. The paper was produced to address questions and misconceptions about the Liberty Alliance model, said Paul Madsen, the paper's author and a consultant in the Advanced Security Technologies group at Entrust. 'The paper was motivated less to define a framework for Liberty working together with other systems than to address confusion in the marketplace about what Liberty was and how it would work with other systems, and sometimes compete with those other systems,' Madsen said. In particular, the paper was written to address the misconception that Liberty was a service akin to Microsoft's .Net Passport. Unlike .Net Passport, Liberty is a set of specifications for protocols that can be implemented by different organizations which become Passport-like user authentication services... While it may be fair to compare Passport to a particular implementation of the Liberty specifications, comparing the consortium's specifications to Microsoft's service is not particularly useful, Madsen said. The white paper also points out fundamental technical differences between .Net Passport and the Liberty specifications. For example, The Liberty Alliance specifications back the use of Security Assertion Markup Language (SAML) for exchanging authentication tokens as compared with Passport's proprietary schema, and the two authentication systems differ in the way they communicate tokens from one site to the next. 'There were a lot of misconceptions about how Liberty compares to Passport. We wanted to set out the differences and, recognizing those, set out some scenarios where Liberty and Passport can exist,' Madsen said. On that score, the new white paper proposes a number of scenarios in which .Net Passport and Liberty might work together. In one scenario, a third-party Web site might act as an identity provider in a Liberty 'circle of trust' (COT), creating SAML assertions for other service providers while also existing as a Passport member site, processing tokens issued by Passport.com. In this scenario, Identity.com would then act as a 'mediator' between the Liberty-governed domain and the Passport domain, converting Passport tickets into SAML assertions and vice versa. In a second scenario, a service provider could exist in a Liberty COT and as a Passport member. Either authentication system could be used, depending on the nature of the service being requested, with Passport used for lower-security consumer transactions and Liberty for transactions that require stronger authentication..."

  • [January 16, 2003]   Sun ONE Identity Server 6.0 Supports Liberty Alliance and SAML Specifications.    Sun Microsystems has announced general availability of the Sun ONE Identity Server 6.0, described as "the industry's first open-standards based network identity solution. It provides a standards-based implementation that leverages Java technology, Liberty Alliance federated identity, Security Assertion Markup Language (SAML), and other industry standards (Java Authentication and Authorization Service - JAAS, JDK Logging, SOAP, HTTP/HTTPS, XML DSIG). A key component of Sun's overall identity management solution, Sun ONE Identity Server is built on top of the Sun ONE Directory Server which provides a central repository for storing and managing identity profiles, access privileges, and application and network resource information. It leverages the consolidation capabilities of the Sun ONE Meta Directory which consolidates and integrates identity information spread throughout the computing environment into a single profile. Core services include access management, identity administration, federated authentication, and service management. A key capability of the Sun ONE Identity Server is the ability to federate identities, via either SAML or the Liberty Specification (Single Sign-On and Federation Protocol; Federation Termination Notification Protocol; Name Registration Protocol; Single Logout Protocol; Identity Provider [IDP] Introduction Protocol), both internal and external to the organization's firewall."

  • [January 14, 2003] "Sun Microsystems Delivers Industry's First Liberty-Enabled Web Single Sign-On Product. Sun ONE Identity Server 6.0 Delivers Easy Access to Applications and Services Through Single User-Login, Reduces Administration Overhead and Provides Increased Revenue Opportunities." - "Delivering on its commitment to customers and the Liberty Alliance organization, Sun Microsystems, Inc. today announced the general availability of the Sun ONE Identity Server 6.0, the industry's first open-standards based network identity solution. Increasingly, organizations require the ability to enable their employees, business partners and customers to easily and seamlessly access information and services via the Web in a secure, privacy-protected, non-proprietary, cost-effective manner. The Sun ONE Identity Server 6.0 provides a standards-based, future-proofed implementation that leverages Java technology, the Liberty Alliance, Security Assertion Markup Language (SAML), and XML specifications. By providing a foundation based on SAML standards, Sun provides a complete identity and access management foundation that helps secure the delivery of business information today through open standards such as Liberty and provides organizations with the ability to adapt to changing business requirements. The Sun ONE Identity Server 6.0 is the first commercial-grade identity management solution that fully integrates access management, delegated administration, directory and federation services into a single product. A key component of Sun's overall identity management solution, it is built on top of the market-leading Sun ONE Directory Server and leverages the consolidation capabilities of the Sun ONE Meta Directory... A key capability of the Sun ONE Identity Server is the ability to federate identities, via either SAML or the Liberty Specification, both internal and external to the organization's firewall. Increasingly, customers are choosing Sun to provide them with a scalable, highly available solution that leverages existing directory and name space investments, while providing a path forward to new business ventures... The Sun ONE Identity Server 6.0 integrates the Sun ONE Directory Server and includes the following core services: (1) Access Management: Delivers single sign-on for Web-based resources and centrally controlled access services. Flexible authentication mechanisms including LDAP, RADIUS, X.509v3 certificates, SafeWord token cards, and UNIX platform authentication services. APIs in C, Java, and XML allow customization and easy integration for policy, authentication, auditing/reporting, and client interfaces. (2) Identity Administration: Provides centralized administration of identities, policies, and services. (3) Federation: These services enable shared authentication with affiliate organization Websites and are supported through the Liberty Alliance and SAML (Security Assertions Markup Language) specifications. These specifications will help establish an open, single sign-on standard with decentralized authentication and authorization. (4) Service Management: These capabilities help manage configuration data of external applications and services and provide a solution for customizing and registering management parameters for external applications, such as service-delivery via a portal or mail quota on an e-mail server..."

  • [January 07, 2003] "Liberty Alliance Reports Majority of Sponsor Members Polled Plan to Implement Liberty Specifications in 2003, Adoption Plans Span Industries. Alliance Also Introduces 22 New Members, Bringing Total Membership to 150." - "The Liberty Alliance Project, a business and technology consortium formed to develop open specifications for federated network identity, today reported that a majority of founder- and sponsor-level members polled said they plan to implement the Liberty version 1.1 specifications within the year. The Liberty Alliance also today announced 22 new members, bringing the total Alliance membership base to 150 organizations. In a recent internal poll of Alliance founder and sponsor members, more than 70 percent of all respondents planning to implement the specifications, regardless of the timeframe, said they expect to incorporate the specifications into products and/or services for their customers. Approximately 52 percent also placed high priority on using the specifications to benefit their employees. And 59 percent of respondents said they plan to implement the version 1.1 specifications within the next 12 months or have already implemented them... General Motors is currently evaluating ways in which the Liberty specifications could streamline internal processes and improve employee relations. For example, GM is currently testing use of the Liberty specifications within its employee intranet, called MySocrates. MySocrates provides access to many of the outsourced HR services that GM employees receive, such as health benefits and 401K plans... Niteo Partners, a strategic consulting subsidiary of NEC, is working with the largest U.S. cash management banks and the Financial Services Technology Consortium (FSTC), to construct a multi-bank services network for securely exchanging customer account, transaction, and credential data via a set of interoperable web services. The Liberty specifications and the SAML standard from OASIS will be included as key components of the overall security framework for this bank-to-bank network. In addition, NEC and Niteo have recently launched a project with The Bond Market Association (TBMA) to lead the development of an industry accessible data portal for servicing fixed income securities dealing, trading and settlement. This data portal, as proposed, will also support the Liberty specifications... 'Last year was very productive for the Alliance - we began our work in January 2002, launched the version 1.0 specifications in July, issued version 1.1 for public review in November and are moving forward toward releasing a draft of version 2.0 within the first half of this year,' said Michael Barrett, president of the Liberty Alliance Management Board..."

  • [December 16, 2002] "PostX Announces Plan to Support and Integrate New Liberty Alliance v1.1 Specification for Federated Identity Management Standard. Leading Secure Messaging Company first to Embrace Powerful New Open Standard. Also Announces Support of SAML v1.0 (Security Assertion Markup Language)." - PostX has announced 'support and planned integration of the Liberty Alliance v1.1 specifications for federated network identity management. These standards will be integrated into the next generation of the PostX Enterprise secure messaging platform due for release in Q1 2003... PostX has also announced support of SAML in their upcoming release. SAML is the OASIS standard XML schema for security assertions and protocols. It enables security interoperability through the exchange of authentication and authorization information among disparate Web access management and security products. It addresses the need for secure single sign-on across diverse Web access management environments implemented across various organizations, applications, Web sites, and portals. The standard defines standardized exchanges of identity and access management (IAM) information, leveraging Web services standards such as XML and SOAP. 'Liberty Alliance, through its broad membership and high industry profile, has clearly established itself as an important group addressing Web services security through federated identity standards. Liberty is leveraging industry momentum surrounding the new OASIS standard, SAML 1.0, upon which the Alliance has built its specifications,' said James Kobielus, senior analyst at Burton Group. 'Concurrently, several industry vendors publicly announced commitments to implementing the Liberty Version 1.x specifications in their products over the coming year. PostX's support for Liberty Version 1.1 is encouraging, because it shows deepening vendor support for the standard throughout diverse product niches, such as secure messaging.' PostX is the only secure messaging company that plans to implement a federated authentication model based on the Liberty Alliance v1.1 specification. In PostX's implementation, users authenticate with their preferred authentication mechanism, which can be passed within a circle of 'trusted' entities. This allows the promise of single sign-on to be delivered to end users with no reduction in usability or security implementations; it is transparent to the sender and recipient... PostX was founded in 1996 with a mission to maximize ECommunications value for organizations by enabling secure electronic delivery of information vital to business and customer relationships. PostX delivers powerful, secure EStatements, EConfirms, EPaystubs, Ecustomer Service, and EMarketing direct to any computer desktop or wireless device, unleashing real value in the form of significant cost savings, powerful marketing opportunities, and deeper recipient loyalty..."

  • [December 16, 2002] "A Question of Identity: Passport, Liberty, and the Single Sign-On Race." By Amit Asaravala. In New Architect Volume 8, Issue 01 (January 2003), pages 22-24. "... new options are emerging that lend SSO capabilities to independent businesses. Perhaps the largest public SSO network in existence is Microsoft's .Net Passport. Launched in 1999, it now boasts nearly ninety participating sites and claims to host 200 million user accounts... While Passport membership is free to end users, participating businesses must pay an annual fee of $10,000, plus a vaguely defined "compliance testing fee" of $1,500. According to Microsoft, the latter covers the cost of having an outside vendor verify a Passport implementation, and is usually -- though not always -- a one-time fee. From the developer's standpoint, a Passport subscription amounts to a license to use the Passport development libraries in a production environment. Subscribers need not use a Microsoft Web server or even a Microsoft operating system -- the libraries are available for Solaris and Linux systems running the Apache and iPlanet Web servers, in addition to Windows and IIS. In order to activate Passport, developers must go through their sites and add API calls to each Web page or resource that needs authentication. The alternative for companies not interested in joining Passport or waiting for Magic Carpet is the Liberty Alliance Project. Formed in September 2001, the Liberty Alliance is a consortium made up of 130 organizations from various industries, including such diverse companies as American Express, Bank of America, Hewlett-Packard, Sun Microsystems, and United Airlines. Unlike Microsoft, the Liberty Alliance isn't itself a software company. Rather than providing a service or creating a product, the consortium's goal is to define and maintain a standard to which SSO services and other identity management solutions should be built. For instance, AOL Time Warner joined the Alliance in December 2001, and has agreed to have Magic Carpet conform to the Liberty specification. Organizations can use the specification regardless of whether they are members of the Liberty Alliance, however. The Alliance released its Liberty 1.0 specification in July 2002. As an industry standard, Liberty will make integration with potential partners easier than it would be using proprietary solutions. For example, if two companies merged and the Web applications on their respective intranets both used Liberty for authentication and authorization, the total cost of merging the companies' infrastructures would be dramatically reduced. There are a number of competing enterprise-class SSO products on the market, like Computer Associates' eTrust SSO and Novell's SecureLogin... If you're an online retailer looking to join a large, established SSO network right away, Passport is the answer. If you can wait six months to a year, or you only need to offer SSO capabilities within a limited group of sites and applications, then Liberty-based solutions are definitely worth a look, particularly because of their full support for SAML. Finally, if you're planning to create Web services that need authentication and authorization capability, building to the WS-Security specification will help you plug into federated identity services at a later date. Of course, another option is simply to wait for de facto standards to emerge before deciding which technologies to adopt..."

  • [December 02, 2002] "Liberty Alliance Waves White Flag at Passport." By Peter Galli and Dennis Fisher. In eWEEK (December 02, 2002). "A growing rift among members of the Liberty Alliance authentication project is placing the technology's future in question. At the core of the problem is exactly where to target the single-sign-on technology in the face of stiff and growing client-side competition from Microsoft Corp.'s Passport service. Officials at the Liberty Alliance's founder and chief sponsor, Sun Microsystems Inc., last week went so far as to concede defeat to the Passport authentication service on the Windows platform. 'There is no way we can compete with them there. They have that market tied down really tight,' said Jonathan Schwartz, executive vice president at Sun's software group, in Menlo Park, Calif. For Liberty to compete, a new, pervasive computing client such as a smart phone that is not based on Microsoft software will have to emerge to challenge Windows and Passport, Schwartz said. Such a device would give business and consumer users an alternative for authentication and would be a way for Liberty to come into its own, he said. 'I don't think it will be very long before we have a pervasive non-Microsoft client,' Schwartz said. 'Have you seen the latest cell phones, with color screens and keyboards and cameras? That's the way it'll go.' [...] Another influential Liberty member said that Microsoft may have the lead on the Windows platform, but Passport falls short in the enterprise. 'The true value in single sign-on is in cross-platform, cross-domain interaction, and in that space Microsoft has nothing,' said Deepak Taneja, chief technology officer at security vendor Netegrity Inc., in Waltham, Mass. 'Windows is only one part of the equation. Passport has been a huge failure, really. Microsoft managed to get tens of millions of users to register but only because it's become mandatory'..."

  • [November 19, 2002] "Web Identity: Weighing the Alternatives." By Carol Sliwa. In Computerworld (November 11, 2002). "In July [2002], the Liberty Alliance Project released its specifications for a standards-based mechanism for simplified sign-on and user identity management... The second phase of the specifications -- which will include guidelines for site-to-site authentication and user-attribute sharing -- isn't due until the first half of next year, says Paul Madsen, a member of the Liberty Alliance's technology expert group and manager for identity services at Addison, Texas-based Entrust Inc. Microsoft's Passport authentication service, which has primarily targeted consumers, relies largely on proprietary protocols that the company made available last month for inspection and development through its shared source code licensing program. But Passport is expected to shift to authentication tokens based on MIT's Kerberos technology and add support for Web services standards next year. That, in turn, has given many in the industry hope that Passport may someday interoperate with Liberty-based authentication and identity management systems... Currently, the approaches differ. One major distinction is the location where each model stores and maintains user data. Another is the means by which the systems share a user's authentication status information. Under the Microsoft service, users register either via www.passport.com or a member site that has an agreement with Microsoft... The Liberty Alliance takes a different tack. It has no universal, unique user identifier that is recognized across sites, and no single identity provider that centrally stores user data. Instead, a wide range of sites can serve as identity providers, and these may federate with one another, exchanging authentication tokens via the Security Assertions Markup Language (SAML) and SAML extensions. Under a Liberty-based system, a user accessing a password-protected site is redirected to the appropriate identity provider. Once there, the user logs in and is redirected back to the original site with a one-time random string called an artifact. The artifact is then presented and exchanged for a SAML assertion, which contains the information the site needs to authenticate the user. In contrast, Microsoft now uses proprietary protocols to transmit authentication tickets between its Passport servers and member sites. Adam Sohn, a product manager in Microsoft's .Net strategy group, says that even when Microsoft adds support for Kerberos-based authentication next year, it will not be 'switch flipping' from the current Passport authentication mechanism to Kerberos-based authentication; it will be more gradual, because there are 200 million existing Passport accounts..."

  • [November 19, 2002] "Liberty Alliance Updates Identity Specification." By John Fontana. In Network World (November 19, 2002). "The Liberty Alliance Project on Tuesday updated its specification for creating a standard for network identity and solicited for the first time public comment on the document, signaling the consortium's intention to act more like a traditional standards body. The group released version 1.1 of the spec, which corrects a security flaw and clarifies ambiguities in the text of the draft. The 130-member group in July released the first draft, which details how to create a universal user identity to be used for authentication as a user moves from Web site to Web site. The effort is similar to Microsoft's Passport single sign-on consumer service, which it is trying to adapt for corporate use. [Michael Barrett, president of the Liberty Alliance] says the enhancements were made to bring the specification more in line with corporations that have set policies on managing identity credentials. In addition to changes to the specification itself, the Alliance also opened the document to general review by the public for the first time. Version 1.0 was only open to comments by members of the Alliance. 'We are trying to make the Alliance as open as possible while respecting the rights of our members,' Barrett says. The members, which include both user companies and vendors, pay a fee to participate in the group, which has been coy about whether it may at some point turn its work over to a recognized standards body or continue to work as a independent organization. But by opening the specification for public review, the Alliance seems to be signaling that it will continue to do its own work..." See details in the 2002-11-19 news item "Liberty Alliance Releases Draft Version 1.1 Specifications for Public Review."

  • [October 26, 2002] "Liberty, WS-Security Uniting Over SAML Standards." By Vance McCarthy. From Integration Developer News. October 21, 2002. Case Study. "Last month, the Liberty Alliance Project elected a new president Michael Barrett, vice president for Internet strategy at American Express. Since coming to office, Barrett has left little doubt that he will push those vendors sparring over identity and security standards -- notably Sun, IBM and Microsoft -- to reach an agreement on interoperability. So far, the 'peace talks' between Liberty and Microsoft Passport seem to be going well, thanks in large part to all-party discussions on security taking place under the OASIS (Organization for the Advancement of Structured Information Standards) umbrella, and some XML-based security brokering technology being specified inside OASIS called SAML (Security Assertion Markup Language). 'It's pretty obvious that we'll use SAML as a glue between different identity approaches [such as Liberty and Passport], the SAML technical committee co-chair for OASIS Jeff Hodges told Integration Developer News. 'And while SAML is not an authentication technology in and of itself, SAML can be used as a tool to glue together disparate authentication domains.' For its part, Liberty is built on SAML, but does not define any authentication mechanisms. SAML is a framework and one needs to profile it to put into context to make use of it. Further, the Java Community Process (JCP) has a proposal to natively support SAML (JSR 155) for use in J2EE... Of good news to developers worried about interoperability issues, SAML is also being endorsed by Microsoft execs. 'Members of the OASIS security committee wants to see all our work reconciled, and we want to see SAML token support in WS-Security.' Adam Sohn, a product manager for Microsoft .NET platform strategy group told IDN in an interview this summer. Sohn added that WS-Security's decision to support SAML (and Liberty) will not prompt WS-Security to 'downplay' plan to support a variety of security mechanisms already at work within the enterprise, including PKI, Kerberos and even SSL. WS-Security will look at Liberty and SAML as just another credential type, and we expect to have support in WS-Security this year' Sohn added... 'There are a lot of touching points across Liberty, SAML and WS-Security, and it's hard to look at a crystal ball to see exactly what will happen. But we are starting to see some convergences and rapprochement between all these groups, ' Slava Kavsan, Chief Technologist at RSA Security, and chairman of the Liberty Alliance's Trust and Security Group told IDN. Notably, RSA has been a key figure in pushing compatibility among Sun, Microsoft and IBM approaches. 'There is good news. First, WS-Security will mention SAML is its next draft.' Kavsan looks at the interoperability issues on identity as similar to other compatibility questions that exist on a number of web services fronts between IBM, Microsoft and Sun. 'We're still in a basic architectural world of the Microsoft client needing to talk to a Java or Sun server,' he said. 'Even though Liberty is working on its own browser-based client spec, Liberty needs to and intends to support Microsoft's client base'..."

  • [October 23, 2002] "Phaos Technology Releases Liberty Toolkit 2.0. e-Security Provider Offers Developer Toolkit for Liberty Alliance Specifications." - "Phaos Technology Corp., a leading global provider of cross-platform e-Security services and software tools to empower Internet applications, today announced the release of the Phaos Liberty Toolkit that will enable developers to build applications that adhere to the sign-on authentication and authorization specifications set by the Liberty Alliance. The Liberty Alliance strives to support the development, deployment and evolution of an open, interoperable standard for federated network identity. Using the Phaos Liberty Toolkit, Java developers can rapidly build applications that enable single sign-on capabilities, support the consolidation of enterprise authentication schemes and allow the migration from legacy infrastructure to XML-based Web services. The Phaos Liberty Toolkit provides integrated XML digital signatures and XML encryption. Furthermore, it provides stronger privacy and identity protection mechanisms by seamlessly integrating hardware operations... Phaos Liberty SDK, released earlier this year, provided the software for encryption standards called for in early Liberty Alliance specifications. The Phaos Liberty Toolkit expands on the earlier release with a fully integrated security library... The Phaos Liberty Toolkit employs secure encryption technologies and works with any XML parser. A pure Java toolkit, the Phaos Liberty Toolkit supports the Phaos PSE, XML, SAML and SSLava toolkits with optional Cryptoki, XKMS and Centuris add-ons available. Phaos Technology also announced today the release of the Phaos XML Toolkit 2.0, a Java toolkit for building sophisticated, interoperable and secure XML-based applications that benefit from the code portability and scalability of Java; and Phaos SAML 1.0, which provides a protocol, consisting of XML-based request and response message formats, to communicate assertions of an entity's attributes, authentication and authorization. Phaos Liberty Toolkit, Phaos XML 2.0 and Phaos SAML 1.0 are currently available by contacting Phaos. Liberty Toolkit developer licenses are $10,000 and run-time licenses are $15,000 per CPU. Other toolkits are priced at $3,000-$4,000 for developer licenses and between $3,000-$4,000 per run-time CPU..."

  • [October 04, 2002] "AOLTW Enforces Patents With Liberty Single Sign-On." By Matt Berger. In InfoWorld (October 04, 2002). "The single sign-on authentication technology under development by the Liberty Alliance Project could be bound by intellectual property restraints, despite a pledge from project founders who have said the technology will be open and royalty-free. AOL Time Warner (AOLTW), one of the members of the 120-company consortium, has claimed with the release of version 1.0 of the Liberty Alliance specification that technology it contributed to the project is patented and may be subject to special licensing requirements. From the beginning, founding members of the project have vowed to deliver a completely open and royalty-free technology that would allow compatibility between single sign-on authentication systems from a variety of vendors and Web site operators. Sun Microsystems, which spearheaded the consortium, has been the most vocal advocate of this, arguing that a royalty-free specification is vital in order to provide an alternative to Microsoft's Passport authentication technology. 'Certainly Sun's position is that any of the critical infrastructure for the Web should be available on a royalty-free basis,' said Bill Smith, director of Liberty Alliance technology at Sun. 'It's why the Internet has got off the ground. If we start seeing tollbooths and barriers put up we're going to see an impediment to growth.' ... AOLTW spokesman Andrew Weinstein said that while the company has claimed rights to certain technology in the specification, users will have free access to the specification in the first release. AOLTW has yet to decide how it will license its technology in future versions of the specification... Sun's Smith said that it will give free access to the intellectual property Sun contributed to the project with only one condition: Any companies that charge royalty fees for their contributions will have to pay Sun for its intellectual property. That means, if AOLTW is the only company to charge royalties it will also be the only company that has to pay royalties to Sun. The patents that AOLTW has staked claims to were acquired from Netscape and are common Internet technologies, such as those used to enable e-commerce , so-called 'cookies' and the security technology SSL (secure sockets layer), according to patent descriptions on file with the U.S. Patent and Trademark Office. Because these patents are so widely used on the Internet, few expect AOLTW to charge royalty fees to companies that implement the Liberty specification, said Michael Barrett, president of the Liberty Alliance board, and vice president for Internet strategy at American Express. 'If they choose to license (their patents) they could hold half the Internet for ransom,' he said..."

  • [September 24, 2002] "Liberty Alliance Project Announces New Management Board President and New Members. Michael Barrett, American Express to Help Guide Progress of Growing Consortium - Now More than 120 Companies Strong." - "The Liberty Alliance Project, a business and technology consortium formed to develop open specifications for federated network identity, today announced that Michael Barrett, vice president for Internet strategy at American Express, has been elected the new president of the Liberty Alliance Management Board. Barrett previously served as vice president on the Liberty Management Board... Barrett will serve as president until the end of his term in December 2003. Other representatives on the Management Board leadership team include Ian Johnson, senior director of strategic technologies at Vodafone, who has taken over the role of Liberty Alliance vice president; Jim Hughes, director of software standards in Hewlett-Packard's Software Global Business Unit, Enterprise Systems Group and treasurer of the Liberty Alliance; and Bill Smith, director of Liberty Alliance technology for Sun Microsystems Inc. and secretary of the Liberty Alliance. The Liberty Alliance also announced today that membership and interest in the Alliance continues to grow, with 26 new companies joining the Alliance. The Liberty Alliance now consists of more than 120 for-profit, not-for-profit and government organizations... The Liberty Alliance Project is an alliance of more than 120 technology and consumer organizations formed to develop and deploy open, federated network identification specifications that support all current and emerging network devices in the digital economy. Federated identity will help drive the next generation of the Internet, offering businesses and consumers convenience and choice. Membership is open to all commercial and non-commercial organizations..."

  • [September 24, 2002] "The Liberty Alliance Gets New Members, and a President." By Sebastian Rupley. In PC Magazine (September 24, 2002). "The Liberty Alliance -- a consortium of business and technology companies seeking to implement federated standards for authenticating online identities -- has announced 26 new member companies and the appointment of a new president. Michael Barrett, vice president of Internet strategy at American Express, one of the leading partner companies in the Liberty Alliance, will head the organization. The news comes on the heels of Sun Microsystems' delivering the first software layer for implementing Liberty Alliance applications and two weeks after an announcement that a slew of new companies had joined the alliance. Now that the Liberty Alliance has released its 1.0 specification for Liberty-enabled Web services, and Sun has produced a software layer to allow companies to build and test applications, one of the remaining questions is who will oversee standards... the Liberty specification from July was created by the founders of the alliance -- 17 companies, including Sun and AOL -- but that the founders were not officially designated as overseers of Liberty standards. The announcement of Barrett's new role as alliance president did not include any information about new policies for overseeing Liberty standards, although Barrett's role will clearly be to oversee the disparate solutions that various companies may deliver... The other top administrators of the Liberty Alliance include vice president Ian Johnson, who is senior director of strategic technologies at Vodafone, and secretary Bill Smith, who is director of Liberty Alliance technology for Sun Microsystems. Among the 26 new companies joining the alliance are Discover Card, Merck, and Wells Fargo..."

  • [September 24, 2002] "Liberty Alliance Plans Interoperability with Passport." By John Blau. In InfoWorld (September 24, 2002). "The Liberty Alliance Project, which is developing Web technology to facilitate single-sign-on authentication, plans to support interoperability between its system and Microsoft's rival Passport system. 'We see opportunities for interoperability between Passport and Liberty Alliance; this option could be part of a 1.1 specification, possibly later this year,' said Paul Madsen, product manager at Entrust in Addison, Texas, on Tuesday at The Burton Group's Catalyst conference in Munich, Germany. Entrust is a member of the Liberty Alliance consortium, which is made up of vendors, service providers, and enterprise users. The Liberty Alliance, which unveiled its first public release in July, is promoting a standard specification that will allow users to travel the Internet and access applications over networks using a single sign-on. Users logging into a Web site supporting the specification, for instance, could then visit other password-protected Web sites that support the technology without having to sign in again... The Passport single sign-on service allows users to access password-protected sites that support the Microsoft technology without having to re-enter their user name and password each time. According to Madsen, the Liberty Alliance is working on a 2.0 version, which will further simplify the sign-on process. The group hopes to release that version in the first quarter of 2003, he said. At least one industry observer views the Liberty Alliance largely as a U.S.-dominated group, although its members include companies from Japan, the U.K., Germany, and Finland..."

  • [September 19, 2002]   Sun Offers Developers Interoperability Prototype for Liberty.    An Interoperability Prototype for Liberty (IPL) was among several announcements issued by Sun Microsystems at the SunNetwork 2002 Conference and Pavilion. The prototype is based upon the Liberty Alliance Version 1.0 specification, and has been designed "for developers (enterprise customers and ISVs) who want to build or test Liberty-enabled applications to manage and maintain their own identity management systems. Based on open standards such as SAML 1.0, XML, and SOAP, both the IPL prototype and the Liberty specification are available immediately for download. The Interoperability Prototype for Liberty is the first open-source implementation of the Liberty Alliance Version 1.0 specification based on Java technology. IPL is designed to help developers learn how the project Liberty Alliance Version 1.0 specification can be implemented. Written for the Java 2 platform, IPL provides the foundation for building liberty into applications and testing interoperability between liberty compliant solutions such as the Sun ONE Identity Server version 6.0. IPL consists of sample Java source code libraries, implementing the Liberty version 1.0 specification, and is not designed for commercial deployment." [Full context]

  • [September 19, 2002] "Federated Identity Face-Off." Interview by Stuart J. Johnston and Dan Ruby. In XML Magazine (October/November 2002). ['In a virtual debate, IBM's Bob Sutor and Sun's Simon Phipps pull no punches on competing federated identity management strategies.' See also the reference list for Federated Identity Resources] Excerpts: Now that WS-Security is in OASIS and has gained Sun's support, how do you see it evolving? [Phipps:] "We're very happy to have WS-Security brought into OASIS so that it can make a contribution to the ongoing security discussion. Microsoft and IBM have done an about-face and have introduced it as a royalty-free specification into OASIS, and we felt that that needed to be encouraged and embraced. So what we've been embracing, fundamentally, is the contribution more than the proposal. There are a couple of principles that we are committed to. One of them is working with open communities to evolve new marketplaces that are level playing fields. Sun is committed to doing that through OASIS, and the fact that the SAML work was already going on at OASIS means that we're deeply committed to SAML." [Sutor]: Now that it is in a standards body, we would expect WS-Security to morph -- you never know how much. We would certainly expect inputs from other people. Look at how we brought SOAP 1.1 to the W3C two years ago, and fairly soon now we expect a SOAP 1.2 to come out, and it's not exactly the same. A lot of what they're doing with SOAP 1.2 has to do with how you bind it to underlying transports. That wasn't fully expressed in SOAP 1.1. But this was an open effort and whatever the industry decided SOAP 1.2 needed, that was done..." Where are there points of overlap or competition between WS-Security and Liberty Alliance? [Sutor]: "Liberty is not a Web services spec. WS-Security defines a set of SOAP extensions, using SOAP just as it is designed. For example, it provides a convention for how to put a SAML assertion in a SOAP header, which will support Liberty as it defines its protocols, conventions, and workflow. From a Web-services perspective, WS-Security is the more fundamental spec..." [Phipps:] "Liberty is a movement by the users of network identity to specify what they need for vendors to provide for them. On the other hand, the ideas in WS-Security up until now were those developed in-house by a monopolist, and only then crossed the border into being a contribution to an open discussion. Liberty's proposed mechanism is comparable with the whole WS-Security road map that has been articulated. WS-Security is just a small piece of an architecture. It says nothing about how to federate..."

  • [September 18, 2002] "Sun Offers Liberty Development Tool." By James Niccolai. In InfoWorld (September 18, 2002). "Sun Microsystems has released an open-source tool for developers that will allow them to begin testing network identity applications that use the Liberty Alliance specification, the company said Wednesday at the SunNetwork conference here... Launched in July, version 1.0 of the Liberty specification should allow users to sign on once to a Web site or network application, and then visit other sites without having to re-enter their password. Later versions will also store a credit card number, address and other information, making it more convenient to shop and use other services on the Web, proponents say. The specification was developed by the Liberty Alliance Project, a group led by Sun that also includes prominent businesses such as United Airlines, American Express, and General Motors. It was developed as an alternative to Microsoft's Passport, which provides single sign-on access to Web sites that support that technology. Called the Interoperability Prototype for Liberty, Sun pitched the tool as the first open-source implementation of the Liberty Alliance specification based on Java. Applications tested with it will be compatible with Sun's Sun ONE Identity Server 6.0 product, which is in beta now and will be Sun's first commercial product with built-in support for the technology when it is launched later this year..." [Website description: "Interoperability Prototype for Liberty is the first open-source implementation of the Liberty Alliance Version 1.0 specification based on Java technology. IPL is designed to help developers learn how the project Liberty Alliance Version 1.0 specification can be implemented. Written for the Java 2 platform, IPL provides the foundation for building liberty into applications and testing interoperability between liberty compliant solutions such as the Sun ONE Identity Server version 6.0. IPL consists of sample Java source code libraries, implementing the Liberty version 1.0 specification, and is not designed for commercial deployment. IPL is licensed as open source under the Sun Microsystems Open Source License."] See Interoperability Prototype for Liberty

  • [September 14, 2002] "Liberty For All?" By P.J. Connolly. In InfoWorld Issue 36 (September 09, 2002), page 26. "... I finally dug out the specifications for authentication and identity federation that the PR folks at the Liberty Alliance Project sent to me back in mid-July and looked them over as promised. Of course, those documents were already two-month-old drafts by the time I got them, and I would be surprised to learn that nothing's changed since May. Obviously, one thing that has changed is the underlying goal, or at least the name by which we call it. The drafts still refer to 'single sign-on,' but Liberty's spokesfolk have already softened that to 'simplified sign-on,' and wisely so... What appeals to me most about the Liberty Alliance project is that it's open to just about anyone who wants to play by the rules -- and because those rules aren't set exclusively by one vendor seeking world domination, the playing field is relatively level... The second thing that grabs me is that adopting Liberty doesn't require a major upheaval of a site's authentication scheme. Most of the 'Liberty-specific' details -- particularly the XML schema that Liberty uses as a framework -- can be slid into existing authentication methods without affecting site security or stability. These specs are the start of Liberty's efforts. For now, drafters recognize that the best they can do is recommend; requirements will undoubtedly be part of future iterations. That's basically a good thing -- it can't be easy to draft a specification when foundation technologies including SOAP, SAML (Security Assertion Markup Language, and thin client markup languages such as HDML (Handheld Device Markup Language) and WML (Wireless Markup Language) are just coming together. Under these circumstances, it would be nigh impossible for those driving the Liberty Alliance to come up with a meaningful branding program. But a 'Liberty logo' indicating that XYZ Corp.'s Web site conforms to or uses the Liberty federation methods is necessary. Sure, not having a logo may spare the project's membership from a nasty bun-fight over who gets to display the logo. But I'd feel a lot safer about federating my identity between sites if I knew how it was being done, or at least whose method I was trusting..."

  • [August 28, 2002] "Liberty Alliance Increases Ranks With 30 New Members From Across the Globe." - "Liberty Alliance today announced that 30 additional organizations have joined in the consortium's effort to develop open and interoperable specifications for federated network identity. Liberty Alliance's growing member base now represents more than 95 for-profit, not-for-profit, and government organizations from around the globe. The new affiliate and associate members announced today span various industries, from telecom and media to healthcare and biometrics. These new members add depth of knowledge and experience to the collective goals and expertise of the Alliance. These new members are [see text of announcement]... The Liberty Alliance welcomes any commercial or non-commercial organization to join as members. There are three available membership levels within the Alliance -- sponsor, associate and affiliate. For more information on these membership levels, or to sign-up, please visit www.projectliberty.org/membership. The Liberty Alliance will be holding its first all-participant meeting on September 19, 2002, in Chicago. All member levels are invited to attend and participate in these meetings to discuss the Alliance's progress and provide input on the strategic direction of the Alliance and its specifications. The Liberty Alliance Project (www.projectliberty.org) is an alliance of more than 95 technology and consumer organizations formed to develop and deploy open, federated network identification specifications that support all current and emerging network devices in the digital economy. Federated identity will help drive the next generation of the Internet, offering businesses and consumers convenience and choice. Membership is open to all commercial and non-commercial organizations. Founding members of the Alliance are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone..."

  • [August 28, 2002] "Liberty Alliance Adds Technical Muscle." By Sandeep Junnarkar. In CNET News.com (August 28, 2002). "The Liberty Alliance Project added a new member on Wednesday, boosting its efforts to establish an online authentication plan to compete with Microsoft's Passport online ID system. Bridgewater Systems said it plans to provide technical expertise in network identification and authentication to Liberty's quest to establish new standards in online authentication systems. The Canadian software developer joins a growing number of companies aligned with Sun Microsystems' Liberty Alliance effort. Heavyweights like American Express, America Online and Hewlett-Packard are among the other members. The group is trying to establish a standard method for online identification that would let a computer user log on once, to one Web site, then have other sites recognize that user as authenticated. Bridgewater supplies software to network service providers that allows them to differentiate access to wireline and wireless services based on the identity of the user or the application. This capability, Bridgewater said, lets service providers solve problems such as how to account for services and track them, and how to prevent unauthorized access... Sun and Microsoft... are each rushing to build and market an authentication system that consumers and businesses alike will trust. Such identity systems are an essential ingredient if next-generation Web services are to actually become mainstream, bringing useful new Internet services to businesses and consumers. Sun is counting on Liberty to become part of the pantheon of Web services standards, and it has been pushing to have such specifications be royalty-free. Liberty's 'single sign-on' standard is based on another newly released standard, the Security Assertion Markup Language (SAML)..."

  • [July 17, 2002] SAML and Liberty. Posting by Jeff Hodges (Sun). 2002-07-17.

  • [July 17, 2002] "Sun's Java-Liberty Moves Risk Industry Scuffles." By [ComputerWire Staff]. In The Register (July 17, 2002). "A potential dispute is opening over proposed integration of Sun Microsystems Inc-backed web services security specifications with Java, writes Gavin Clarke. Sun is lending support to inclusion of Liberty Alliance Project specifications for federated single sign-in to web services in future versions of the Java platform. Jonathan Schwartz, Sun software group executive vice president, said the goal is to 'Liberty-enable the client and server.' Schwartz spoke as he announced Liberty-enabled Sun directory and network servers yesterday. With specifications embedded in the Java platform technologies like Java 2 Enterprise Edition (J2EE) for example, products like J2EE-based application servers could theoretically ship Liberty-enabled. This would minimize development efforts for ISVs and end-users as developers would not need to add Liberty-compliant APIs to Java products and applications. And with APIs shipping in popular products like application server, Liberty could also achieve pervasiveness virtually overnight. Sun's decision, though, risks re-opening old industry wounds. IBM told Computerwire it will not support addition of Liberty specifications unless they are first passed to an independent standards group, like the Organization for the Advancement of Structured Information Standards (OASIS). IBM -- like Microsoft -- remains a non-Liberty member having promoted the alternative WS-Security model. Bob Sutor, director of e-business standards, said: 'IBM will not support this until the work Liberty does is moved to a real standards organization.' IBM is also concerned at the degree of control Sun wields over the Java Community Process (JCP), a 300-member body that debates and approves Java specifications. Sun has constitutional power to veto changes to the Java language. IBM is a JCP participant... Key to the battle are application server vendors BEA Systems Inc and Oracle Corp who have yet to declare for Liberty..."

  • [July 17, 2002] "Microsoft Warms to SAML." By Cathleen Moore. In InfoWorld (July 17, 2002). "Microsoft revealed plans on Tuesday [2002-07-16] to support an emerging security standard that also forms the technology underpinnings for rival Liberty Alliance's federated identity management specification. In a talk here at the Burton Group Catalyst Conference 2002, Praerit Garg, Microsoft group program manager, detailed the company's vision for federated security, which will in the future include room for SAML (Security Assertion Markup Language). Meanwhile, Liberty Alliance on Monday announced Version 1.0 of its federated identity management specification, which is based on SAML. SAML allows authentication and authorization information to be exchanged among multiple Web access management and security products, according to OASIS (Organization for the Advancement of Structured Information Standards) officials. The specification also addresses secure single sign on, and leverages Web services standards such as XML and SOAP (Simple Object Access Protocol). In addition to its support for X509 certificates and Kerberos, Microsoft will support SAML in the WS-Security paradigm, Garg said. WS-Security is an OASIS security specification backed by Microsoft, IBM, and Verisign. 'WS-Security is a very simple model that lets you carry multiple assertions, SAML and Kerberos,' Garg said. 'It reduces friction.' SAML is just another security token format, Garg said, and WS-Security provides the common envelope to carry multiple tokens... In response to questions from the audience about what took the company so long to embrace SAML, Garg said that last year Microsoft did not really understand what SAML was about. Also, he added that the company wanted to protect existing investments in X509 and Kerberos. Garg added that Microsoft should have participated more actively in the standards development process. With a common SAML-based bridge erected, the gap between Microsoft's identity efforts and the Liberty Alliance may be shrinking. In fact, Microsoft gave its strongest indication yet that it may join forces with the Liberty Alliance..." See details of the Liberty Alliance release in the 2002-07-16 news item "Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization"; on SAML: "Security Assertion Markup Language (SAML)."

  • [July 16, 2002] "Sun Microsystems Delivers First Liberty-Enabled Single Sign-On Solution. Announces New Sun ONE Identity Server 6, Sun ONE Directory Server 5.2. Enables Enterprises to Consolidate Authentication Systems, Reducing Integration Costs and Increasing Time to Service." - Sun Microsystems, Inc. today announced the first shipping, end-to-end network identity solution that addresses customers' needs for heightened security, privacy and federated identity management. The new products, services and support available today are fully compliant with the Liberty Alliance version 1.0 specification announced yesterday... 'Identity is the most fundamental Web service and customers want open, interoperable solutions that enable frictionless commerce on the Web,' said Jonathan Schwartz, executive vice president, software, Sun Microsystems Inc. 'CIOs and commerce sites are spending millions in redundant, proprietary identity infrastructure. By offering early support of the Liberty spec, Sun is giving enterprises more choice in network identity and enabling them to take advantage of the rising tide of business opportunities. With Sun's solutions, customers can reduce redundancies between existing systems while extending their network identity environment safely to deliver single sign-on today within their own organizations or among groups of companies working together in a circle of trust.' 'Wells Fargo is providing next-generation single sign on across all of our retail banking Internet sites, including Wells Fargo Internet Banking, Brokerage, Bill pay and Wells OneLook. As an early pioneer and leader in network identity, Sun was the logical partner to help Wells Fargo realize this vision,' said Avid Modjtabai, executive vice president, Wells Fargo Consumer Internet Services. 'By leveraging the Sun ONE architecture and Sun's new network identity solution, we believe we will be able to improve the efficiency of our existing single sign on environment and even extend it to partner companies such as airlines through a federated network identity. Sun's identity solution will be critical to our ability to continue to provide customers with the quality and types of services they desire.' The Sun ONE Platform for Network Identity features pre-integrated software, hardware and services. It has been completely updated with the Liberty-enabled Sun ONE Identity Server 6, Sun ONE Directory Server 5.2, Solaris 9 Operating Environment and new professional services offerings. Other products in the Sun ONE portfolio will be Liberty-enabled over time, beginning with the award-winning Sun ONE Portal Server... the new version enables enterprises to bridge disparate authentication systems with single sign-on. Based on open standards, including Liberty, SAML and Java Authentication and Authorization Service, customers can integrate Sun ONE into existing systems without lock-in to a single vendor..."

  • [July 16, 2002] "Liberty Alliance Details Network Identity Specifications." By Paul Krill and Matt Berger. In InfoWorld (July 15, 2002). "The Liberty Alliance Project on Monday is announcing availability of Version 1.0 of its specifications for a federated network identity system for e-commerce and Web services. According to the Liberty Alliance, the specifications represent the first step in enabling an open, federated network identification infrastructure to link similar and disparate systems. Through the specifications, users can decide whether to link accounts with various identity providers. Companies such as Sun Microsystems, Nokia, MasterCard, and American Express are members of Liberty Alliance and expressed their support of the specifications. Various vendors on Monday may provide road maps for supporting the Liberty effort in products... The next version of the specification will address permission-based attribute sharing, in which organizations can share user information according to permissions granted by the user. Version 1.0 enables 'opt-in' account linking, in which users can choose to link accounts with different service providers. Other functions of the specification include simplified sign-on for linked accounts, in which users can authenticate at one account and navigate to other linked accounts without having to again log in; authentication context, which lets institutions or companies communicate the type of authentication that should be used for user log-ins; and global log-out, in which a user can log out of one site and be automatically logged out of other linked sites. The specification leverages protocols such as SAML (Security Assertion Markup Language)... Said analyst James Kobielus, senior analyst at the Burton Group in Alexandria, Va., in an e-mail response to questions about the Liberty Alliance Version 1.0 specifications: 'Users will be able to optionally link -- and de-link -- their accounts, so as to reduce the number of times they need to enter user IDs and passwords when transacting business across one or more 'federated' or affiliated organizations. The principal shortcomings of the Liberty Alliance 1.0 specifications is that they are new, unproven in the field, rely on the still immature but promising SAML 1.0 standard, and leave many complex technical integration details to be worked out by organizations that implement Liberty-enabled account linking. Liberty 1.0, like SAML 1.0, which Liberty's specs extend, still needs to be implemented and integrated in a critical mass of commercial products and services," Kobielus said..." See details in the 2002-07-16 news item "Liberty Alliance Project Publishes Version 1.0 Specifications for Federated Network Identification and Authorization."
Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI: http://xml.coverpages.org/libertyAlliance.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org