The Liberty Alliance Project has released Business Guidelines: Raising the Business Requirements for Wide Scale Identity Federation, described as the first in a series of documents the Alliance is developing to provide global businesses guidance on deploying federated identity solutions. The purpose of the document is to "identify the general business considerations that must be addressed by any organization exchanging identity information beyond company boundaries in today's complex federated identity environment."

Four principal business requirements identified as critical to identity federation are highlighted in the Business Guidelines: "(1) Mutual confidence: the processes and tasks business partners must undertake to set minimum quality requirements, certify the other party has met those requirements, and manage the risk of exposure; (2) Risk management: the best practices and procedures business partners must identity to guard themselves from losses due to identity fraud, losses due to the exposure of identity information, and loss of business integrity due to insecure processes or data; (3) Liability assessment: the process for determining in a networked environment what parties will bear which losses, under what circumstances and how to resolve disputes; (4) Compliance: the alignment with agreed-upon standards, policies and procedures and how that compliance is governed, including compliance with local privacy requirements."

"Liberty Alliance plans to introduce future documents aggregating major business issues and informational sources that will guide federated identity implementations in vertical (i.e., healthcare, financial services), regional (i.e., Japan, Germany) and industry scenarios (i.e., B2B, B2C mobile). The next set of documents is expected to be available by end of 2003."

Bibliographic Information

Business Guidelines: Raising the Business Requirements for Wide Scale Identity Federation. Copyright (c) 2003 Liberty Alliance Project. Glossary in Section 9. July, 2003. 16 pages.

From the Announcement

"The early work of Liberty Alliance focused on the technical requirements needed to create a federated identity architecture. We introduced our first set of open federated identity specifications a year ago, and our second set of specifications is already out for public review. Now that our technical work is well under way, we must help facilitate adoption of federated identity across the industry," said Michael Barrett, president of the Liberty Alliance Management Board and vice president of Internet strategy at American Express.

"The real value in Web services will never be reached until companies can more securely and efficiently manage trusted relationship among partners, suppliers, employees and customers," continued Barrett. "Identity is the foundation of any trusted relationship, and there is a great deal of complexity in how businesses manage and share that identity information."

While identity federation holds much promise to advance Web services, it also requires that companies address the liability, risk and costs that arise with sharing information beyond company walls. The Liberty Alliance Business Guidelines document highlights four major business requirements to consider in the context of identity federation.

"Because of its broad makeup of end-users, vendors, governments and industry organizations, the Liberty Alliance is in a unique position to address the complex business issues of federation," said Dan Blum, vice president and research director at the Burton Group. "The range of business requirements and regulations companies must meet varies immensely depending on the industry and region within which they operate."

Analyst research firm IDC predicts that Web Services will be a $21 billion industry by 2007. However, until vendors and end-users collaboratively address the complex "identity" challenges that are currently slowing adoption of Web services, this prediction can't become a reality.

The Business Guidelines document Liberty Alliance released today provides baseline guidance on the business issues associated with wide scale inter-company federated identity management. It is also meant to solicit input from the industry at large, which may be incorporated into future documents.

The Liberty Alliance Project (www.projectliberty.org) is an alliance of more than 170 companies, non-profit and government organizations formed to develop and deploy open, federated network identification standards that support all current and emerging network devices in the digital economy. Federated identity will help drive the next generation of the Internet, offering businesses and consumers convenience and choice. Membership is open to all commercial and non-commercial organizations.

Identity Networks and Assorted Groups Examining Federated Identity

• [Adapted from Section 8 of the Business Guidelines]
• Shibboleth Project. "Shibboleth is an initiative to develop an open, standards-based solution to the needs for organizations to exchange information about their users in a secure, and privacy-preserving manner."
• PingID Network. "PingID is a member-owned, technology neutral identity network, the first of its kind, providing businesses with the legal framework and essential shared identity services required to ensure secure, quality assured identity interchange within any identity federation."
• SIMC Identity Management Initiative. The Securities Industry Middleware Council, Inc. is hosting projects which seek to document "identity management scenarios currently being addressed by participating firms and identify-specific aspects of the various scenarios that are most amenable to solution in the near term."
• FSTC Liberty Alliance / SAML Business Application Review Project. "The FSTC Security SCOM has launched a business application review, in which the details of both the SAML and Liberty Alliance v1.0/1.1 specs will be measured against financial industry usage scenarios and requirements."

Related News: FSTC Evaluation Report on Identity Management in Financial Services

The Financial Services Technology Consortium (FSTC) recently announced the "completion of a six-month evaluation of current industry initiatives in identity management. Participating Financial Institutions included Bank of America, Citigroup, Fidelity Glenview State Bank, JPMorgan Chase, National City, University Bank, and Wells Fargo. the Technology Partners included Digital Resources Group, eONE Global, Hewlett-Packard, IBM, Niteo Partners (a NEC Company), Sun Microsystems, Top Layer Networks, and Yodlee. The report, Identity Management in Financial Services, is a critical assessment of how well the Liberty Alliance and SAML specifications meet the needs of the financial services industry as measured against common business use scenarios and known industry requirements." Background and Table of Contents for the full document are provided online. Excerpts from the Preface and Executive Summary:

Identity Management in Financial Services is a critical assessment of how well the Liberty Alliance and SAML specifications meet the needs of the financial services industry as measured against common business use scenarios and known industry requirements.

This report was commissioned by the Security Standing Committee (Security SCOM) of the Financial Services Technology Consortium (FSTC). The Financial Services Technology Consortium is a consortium of leading North American-based financial institutions, technology vendors, independent research organizations, and government agencies. FSTC sponsors collaborative technology development-pilots, proofs-of-concept, tests, and demonstrations-supported by member financial institutions and technology companies. Its aim is to bring forward interoperable, open-standard technologies that provide critical infrastructures for the financial services industry.

The review evaluated financial industry requirements against the OASIS Security Assertion Markup Language V1.0 specification (SAML) and Liberty Alliance Identity Federation Framework V1.1 specification (Liberty). The evaluation was done in the context of the North American financial services marketplace. Industry requirements, particularly in the area of data privacy, may vary in other geographies. The work was performed December 2002 through April 2003.

The report considers three typical financial industry use cases to explore and assess the application of these technologies.

• Use Case #1: Employee Single Sign-On to Enterprise Partners. Liberty and SAML are each well suited to support the needs of financial institutions attempting to provide employees with single sign-on access to external services. Two example scenarios focus on employee access to a 401(k) plan and employee access to corporate travel services. In many ways, this is a B2B2E authentication chain, with the business authenticating the employer (financial institution), which in turn authenticates its employee.

• Use Case #2: Business-to-Business. Liberty and SAML are well suited to the support the needs of financial institutions attempting to support a business supply chain. Two usage scenarios explore the supply chain in affinity cards and mobile financial services.

• Use Case #3: Account Aggregation. The potential use of SAML, more so than Liberty, in next generation account aggregation services provides financial institutions with the opportunity to eliminate the sharing of sensitive customer credentials and retain their central role of authenticating their own customers. Three usage scenarios focus on account provisioning at the aggregator, data transfer from financial institution to aggregator, and single sign-on from the aggregator to the financial institution.