Update 2007-03-21: On March 19, 2007 OASIS acknowledged receipt of a draft TC charter proposal to create a Web Services Federation (WSFED) Technical Committee. The TC would accept as input the WS-Federation specification (Version 1.1) published by BEA Systems, BMC Software, CA, IBM, Layer 7 Technologies, Microsoft, Novell, and VeriSign. The revised WS-Federation specification Version 1.2 would extend basic federation capabilities enabled by WS-Security, WS-SecureConversation, WS-Trust, and WS-SecurityPolicy. Representatives from twenty-three companies provided statements of support for the charter proposal. See: "Proposed Charter: OASIS Web Services Federation (WSFED) Technical Committee."
- Liberty ID-WSF Web Services Framework
- Microsoft WS-Federation Interoperability Workshop
- OASIS Security Assertion Markup Language (SAML)
- Principal References
[May 26, 2004] Recent announcements about the adoption of identity federation standards and demonstrated interoperability of enterprise-level products reveal a growing interest in deploying secure, identity-based Web Services across company boundaries.
The Liberty Alliance consortium has released a new overview document describing the general applicability of its Identity Web Services Framework (ID-WSF) to Web services. Finalized in November 2003, Liberty's ID-WSF suite of specifications supports the development of Web services which "typically require a number of standard functions, including authentication, security, service discovery, and the communication of service policy. Liberty ID-WSF provides such functionality, allowing the development of secure, privacy-protected Web services. AOL, Nokia and Vodafone are among approximately thirty (30) member companies that have announced products and services or plans for products and services based on Liberty specifications. Federated, identity-based Web services allow companies to connect their applications with their partners' or customers' applications by granting trusted entities access to services and information protected by firewalls."
Microsoft announced that six companies participating in a WS-Federation interoperability workshop completed testing of their products; the solution was demonstrated in the Microsoft Interoperability Pavilion Microsoft at the TechED conference. Several participating companies have issued announcements describing the implementation of federated identity specifications in their products, including support for Web Services Federation (WS-Federation), OASIS Web Services Security (WSS) 1.0, SAML, and Liberty Alliance.
WS-Federation (from BEA, IBM, Microsoft, RSA Security, and Verisign, July 2003) "defines mechanisms that are used to enable identity, account, attribute, authentication, and authorization federation across different trust realms. The mechanisms can be used by passive and active requestors; the Web service requestors are assumed to understand the new security mechanisms and be capable of interacting with Web service providers."
RSA Security's announcement reports that Dan Blum of Burton Group counts "approximately 200 organizations currently implementing browser-based federated identity solutions, primarily utilizing the SAML (Security Assertion Markup Language) specification."
Ping Identity Corporation has founded an open source community project (SourceID.org) for federated identity management based upon the SAML, Liberty Alliance, and WS-Federation specifications. Its goal is to promote education about a federated identity infrastructure that "enables cross-boundary single sign-on, dynamic user provisioning and identity attribute sharing; by providing for identity portability, identity federation affords end-users with increased simplicity and control over the movement of personal identity information while simultaneously enabling companies to extend their security perimeter to trusted partners."
Bibliographic Information: Liberty Identity Web Services Framework (ID-WSF) White Paper
Liberty ID-WSF — a Web Services Framework. Edited by John Kemp (Nokia). Liberty Alliance Project. May 23, 2004. 15 pages. Contributors: Carolina Canales-Valenzuela (Ericsson), Britta Glade (RSA Security, Inc), Paul Madsen (Entrust), and Jason Rouault (Hewlett-Packard Company). This white paper summarizes the benefits of the Liberty (ID-WSF) Web Services Framework.
"Broadly speaking, there are three classes of web service — identity-based (my profile service), identity-consuming (your localized weather forecast) and basic (a general stock quote service).
The Liberty Identity Web Services Framework provides functionality to address the security and basic reliable messaging functions of any such web service. Additionally, a general framework is available for indicating policy that might apply to service access. Finally, and perhaps most usefully, a mechanism (the opaque name and resource identifier) is provided to offer privacy-protected identity-based services, and access to such services, providing the opportunity to create personalized services without compromising the privacy of individuals.
In today's marketplace, web services play a critical role in enabling companies to easily and cost-effectively do business with trusted partners and customers, without compromising security, visibility or control over identity information. The Liberty Identity Web Services Framework is currently helping many companies to successfully implement federated identity-management projects. Already, AOL, Nokia, and Vodafone are among several member companies with plans to support ID-WSF under the Phase 2 Liberty specifications in existing or new products and services.
Under a new arrangement with D-Link, Radio@AOL — the No. 1 Internet radio broadcaster — and You've Got Pictures will be available to AOL's 31.5 million subscribers as well as non-AOL subscribers. A prototype developed jointly between AOL and Nokia demonstrates how AOL employs ID-WSF specifications — particularly the authentication, discovery, and permission-based attribute sharing and security features, to enable any consumer to access and personalize the Radio@AOL service using their Nokia mobile handset.
Vodafone, among the world's largest mobile telecommunications network companies, has collaborated with Trustgenix and Gamefederation to build a Liberty-enabled multiplayer mobile gaming proof-of-concept. Using Liberty as the authentication mechanism, a user can discover a game site over Vodafone's network, access it, and personalize his or her experience.
These projects illuminate Liberty ID-WSF's ability to bridge fixed and mobile Internet services. ID-WSF also underscores that an identity-aware framework allows communities to provide highly personalized and attractive services while improving the service's usability. Deployments such as those by AOL, Nokia, and Vodafone illustrate how Liberty supports the entire web services ecosystem, including mobile devices..."
Liberty Alliance Identity Web Services Framework (ID-WSF) 1.0 Final Specifications
See the specifications listing for individual components included in these specitications.
- Liberty ID-WSF Security & Privacy Overview, Version 1.0
- Liberty ID-WSF Discovery Service Specification, Version 1.1
- Liberty ID-WSF SOAP Binding Specification, Version 1.1
- Liberty ID-WSF Security Mechanisms Specification, Version 1.1
- Liberty ID-WSF Interaction Service Specification, Version 1.0
- Liberty ID-WSF Data Services Template Specification, Version 1.0
- Liberty ID-WSF Architecture Overview
- Liberty ID-WSF Client Profiles Specification
- Liberty ID-WSF Authentication Service Specification
From the Liberty Alliance ID-WSF Announcement
Liberty Alliance, the global consortium developing an open federated identity standard and business tools for implementing identity-based services, today released an overview of its Identity Web Services Framework (ID-WSF) and how it is adapted to general Web services development. Responding to strong industry interest in ID-WSF, released publicly in April 2003 and finalized in November 2003, Liberty Alliance has created this document to help interested parties quickly understand the benefits of Liberty's web services framework.
Companies today face the business imperative to expand revenue opportunities, and deliver better service and security to customers at a lower cost. Federated, identity-based Web services allow companies to connect their applications with their partners' or customers' applications by granting trusted entities access to services and information protected by firewalls. Liberty ID-WSF provides a blueprint for companies to extend their architectures to a federated Web services model, allowing trusted partners, customers and suppliers to access key resources and information across corporate boundaries. Liberty plans to release a technical white paper based on the established ID-WSF framework in Q3 of this year, helping companies more quickly absorb the technical detail already available in the specifications.
"Many companies have already moved their business processes to the web, and successfully implemented Liberty-enabled Identity Management infrastructures," said Michael Barrett, president of the Liberty Alliance and vice president for privacy and security at American Express. "These companies are ready to leverage this powerful foundation and move aggressively forward with federated Web services. Liberty ID-WSF helps businesses to enrich their current deployments and create significant competitive advantage."
... Liberty will be hosting an interoperability demonstration at the Burton Catalyst Conference on July 21, 2004 that will highlight three scenarios that show support of Liberty's Identity Web Services Framework (ID-WSF), and one scenario that shows support for Liberty's Identity Federation Framework (ID-FF). These scenarios will demonstrate specific utilization of Liberty protocols and will include examples from the financial services, e-government and mobile spaces...
The Liberty Alliance Project (http://www.projectliberty.org) is an alliance of more than 150 companies, non-profit and government organizations from around the globe. The consortium is committed to developing an open standard for federated network identity that supports all current and emerging network devices. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information in today's digital economy, and is a key component in driving the use of e-commerce, personalized data services, as well as web-based services. Membership is open to all commercial and non-commercial organizations.
See additional references below for Liberty Alliance Identity Federation Framework (ID-FF) and Liberty Identity Web Services Framework (ID-WSF).
Bibliographic Information: Web Services Federation (WS-Federation)
Web Services Federation Language (WS-Federation). By Siddharth Baja (VeriSign), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Mike Dusche (Microsoft), Maryann Hondo (IBM), Matt Hur, Microsoft), Chris Kaler (Editor, Microsoft), Hal Lockhart (BEA), Hiroshi Maruyama (IBM), Anthony Nadalin (Editor, IBM), Nataraj Nagaratnam (IBM), Andrew Nash (RSA Security), Hemma Prafullchandra (VeriSign), and John Shewchuk (Microsoft). Draft Version 1.0. July 8, 2003. 41 pages. Copyright (c) IBM, Microsoft, BEA Systems, RSA Security, and VeriSign.
WS-Federation: Passive Requestor Profile. By Siddharth Baja (VeriSign), Brendan Dixon (Microsoft), Mike Dusche (Microsoft), Maryann Hondo (IBM), Matt Hur (Microsoft), Chris Kaler (Editor, Microsoft), Hal Lockhart (BEA), Hiroshi Maruyama (IBM), Anthony Nadalin (Editor, IBM), Nataraj Nagaratnam (IBM), Andrew Nash (RSA Security), Hemma Prafullchandra (VeriSign), Yordan Rouskov (Microsoft), John Shewchuk (Microsoft), and Jeff Spelman (Microsoft). Draft Version 1.0. July 8, 2003. 32 pages.
WS-Federation: Active Requestor Profile. Siddharth Baja (VeriSign), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Maryann Hondo (IBM), Matt Hur (Microsoft), Chris Kaler (Editor, Microsoft), Hal Lockhart (BEA), Hiroshi Maruyama (IBM), Anthony Nadalin (Editor, IBM), Nataraj Nagaratnam (IBM), Andrew Nash (RSA Security), Hemma Prafullchandra (VeriSign), and John Shewchuk (Microsoft). Draft Version 1.0. July 8, 2003. 18 pages.
From the Microsoft WS-Federation Announcement
Microsoft Corp., together with six of the industry's leading identity management vendors, today previewed interoperable federated identity management solutions based on the Web services architecture (WS-*). Software companies IBM Corp., Netegrity Inc., Oblix Inc., OpenNetwork Technologies, Ping Identity Corp., RSA Security Inc., and Microsoft have successfully concluded work demonstrating how their identity management technologies interoperate using the Web Services Federation (WS-Federation) specification, part of the WS Security set of specifications. In his Tech-Ed keynote address today, Andrew Lees, corporate vice president for Server and Tools Marketing at Microsoft, showed how federated identity management based on WS-Federation and the WS-* architecture will simplify the work of IT professionals as they seek to cut the cost and complexity of passing identity credentials across security and organization boundaries in a Web services environment.
"Connecting companies offers significant business benefits by streamlining processes and enabling new business opportunities. However, customers have said that connecting with their partners is too complicated and often not cost-effective," Lees said. "Today at Tech-Ed, we are showing the industry's ability to come together and deliver interoperable enterprise-class products for federated identity that dramatically simplify more-secure business-to-business commerce and collaboration using Web services standards."
"In today's business environment, companies are seeing a growing demand to give their partners access to mission-critical applications and data," said Jamie Lewis, CEO and Research Chair at Burton Group. "The need to open and protect systems that reside behind the firewall has established federated identity as a critical component of interoperability infrastructure. By supporting both federated identity and application integration functions in a consistent framework, Web services can lower both the cost and difficulty of interoperability between business partners."
Identity federation using WS-* eliminates the need for IT professionals to specify technical requirements for interoperability. The WS-Federation specification itself defines mechanisms to federate identity, account, attribute, authentication and authorization in a more secure manner. WS-Federation is part of WS-*, as outlined in an April 2002 Microsoft and IBM white paper, titled "Security in a Web Services World: A Proposed Architecture and Road Map," which describes an evolutionary approach to help customers address security in a Web services environment. IBM and Microsoft demonstrated interoperability among their products using WS-* specifications last year.
"Identity federation is the next logical step for the advancement of secure Web services as organizations need to connect securely to realize new business opportunities at ever-increasing speed," said Joe Anthony, program director of Integrated Identity Management, Tivoli Software, IBM. "Interoperability through WS-* and the delivery of identity management software based on those standards is a real asset to our customers as they build on-demand businesses."
"Netegrity is seeing increased interest from our customers to enable federated identity using WS-*," said Bill Bartow, vice president of Engineering at Netegrity. "Netegrity currently supports WS-Security in its products, and we are committed to supporting WS-Federation to enable our customers to more easily and cost-effectively interoperate with their partners."
"Our planned support for WS-* is a very natural step in the development of Oblix SHAREid, as it was built specifically to lower the barriers to identity federation," said Prakash Ramamurthy, vice president of products and technology at Oblix. "We are excited that the industry's show of support for WS-Federation will ensure enterprises high levels of interoperability, thus making it faster and easier for them to reap the business benefits of federating with partners and customers."
"We see a real business opportunity in leveraging WS-* to enhance our identity and access management solution," said Bob Worner, vice president of engineering at OpenNetwork. "Our customers are enthusiastic about the ways WS-* will extend our Universal Identity Platform and enable interoperability to help them achieve a comprehensive federated identity solution."
"Having released an open source proof-of-concept around WS-Federation last year at SourceID.org, we're already well aware of the pent-up demand for this solution," said Andre Durand, CEO of Ping Identity. "Federated identity is allowing companies to accomplish single sign-on with partners, better partner integration, and secure collaboration at a fraction of the cost and complexity associated with more traditional solutions — and WS-Federation is a key component in that rollout."
"RSA Security strives to deliver solutions to the marketplace that help our customers save money, increase productivity and exploit new business opportunities — all benefits that federated identity can deliver when implemented properly," said Jason Lewis, vice president of product management and marketing at RSA Security. "We are pleased to support WS-* in the RSA Federated Identity Manager product to help our customers enjoy the benefits of interoperability."
See citations below for additional announcements released by the WS-Federation Workshop participants.
About the OASIS Security Assertion Markup Language (SAML)
The OASIS Security Services TC is working to advance the Security Assertion Markup Language (SAML) as an OASIS standard. SAML is an XML framework for exchanging authentication and authorization information. SAML version 1.0 and 1.1 are approved OASIS Standards. SAML Version 2.0 is under development.
An excellent overview of SAML is provided in the Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1. This is a completed OASIS Technical Committee Draft, 11-May-2004.
"The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. More precisely, SAML defines a common XML framework for exchanging security assertions between entities...
Why is SAML needed? The SSTC developed a number of use cases to drive SAML's requirements. For SAML 1.x, the most important of these use cases described a SAML-based solution to the problem of Web Single Sign-On (SSO). Web SSO allows users to gain access to website resources in multiple domains without having to re-authenticate after initially logging in to the first domain. To achieve SSO, the domains need to form a trust relationship before they can share an understanding of the user's identity that allows the necessary access...
The SAML technology is rooted in XML. The information passed around between asserting parties (SAML authorities) and relying parties is mostly in the form of XML, and the format of these XML messages and assertions is defined in a pair of SAML XML schemas.
SAML has the following key concepts:
- Assertions: An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three kinds of statements that can be carried within an assertion. Authentication statements say 'This subject was authenticated by this means at this time.' Attribute statements provide specific details about the subject (for example, that a user holds 'Gold' status). Authorization decision statements identify what the subject is entitled to do (for example, whether a user is permitted to buy a specified item). The XML format for assertions and their allowable extensions is defined in an XML schema.
- Protocol: SAML defines a request/response protocol for obtaining assertions. A SAML request can either ask for a specific known assertion or make authentication, attribute, and authorization decision queries, with the SAML response providing back the requested assertions. The XML format for protocol messages and their allowable extensions is defined in an XML schema.
- Bindings: A binding details exactly how the SAML protocol maps onto transport and messaging protocols. For instance, the SAML specification provides a binding of how SAML request/responses are carried within SOAP exchange messages over HTTP.
- Profiles: Profiles are technical descriptions of particular flows of assertions and protocol messages that define how SAML can be used for a particular purpose. They are derived from use cases..." [v1.1 TechOverview]
- Federation Interoperability Announcements:
- Microsoft announcement 2004-05-25: "Leading Identity Management Vendors Join Microsoft to Demonstrate Federated Identity Using Web Services. Interoperable Solutions Reduce Cost and Complexity of Secure Identity Management Across Corporate Network Boundaries."
- Netegrity announcement 2004-05-25: "Netegrity Showcases Federation Interoperability With Microsoft at Tech Ed Conference. Companies Utilize WS-Security and SAML to Securely Share Identity Information Across Partner Sites."
- Oblix announcement 2004-05-25: "Oblix Teams with Microsoft to Deliver Support for WS-Federation. Oblix Supports Broad Range of Standards for Identity Federation."
- OpenNetwork announcement 2004-05-25: "OpenNetwork Demonstrates Interoperable Identity Management Solution based on WS-Federation. Joins Five Software Vendors in an Interactive Demonstration at Microsoft TechED."
- Ping Identity announcement 2004-05-25: "Open Source WS-Federation Project Gaining Traction."
- RSA Security announcement 2004-05-25: "RSA Security Completes WS-Federation Interoperability Testing with Microsoft, IBM and Other Leading Vendors. RSA Federated Identity Manager Demonstrates Support for Emerging Standard to Provide Identity Federation For Web Services Environments."
- Federated Identity Management Interoperability. WS-Federation Passive Requestor Profile Interoperability Workshop. Microsoft Corporation. From the Microsoft MSDN Library. May 2004. "As enterprises extend internal systems to external users, it is important to ensure that the systems can interoperate with other organizations' applications. Leading Identity Management Solution providers demonstrated their solutions that meet this need in a recent Interoperability Workshop... This document describes the results of that Workshop in which implementations of an interoperability scenario using the WS-Federation Passive Requestor Profile based upon the Web Services Security set of standards were tested." See the recent workshop description and WS-* community workshops overview.
- WS-Federation References:
- Web Services Federation Language (WS-Federation)
- WS-Federation: Passive Requestor Profile
- WS-Federation: Active Requestor Profile
- "Federation of Identities in a Web Services World.: A Joint White Paper from IBM Corporation and Microsoft Corporation. July 08, 2003.
- "Security in a Web Services World: A Proposed Architecture and Roadmap." A joint security whitepaper from IBM Corporation and Microsoft Corporation. April 7, 2002. Version 1.0. "WS-Federation: This specification will define how to construct federated trust scenarios using the WS-Security, WS-Policy, WS-Trust, and WS-SecureConversation specifications. For example, it will describe how to federate Kerberos and PKI infrastructures... As well, a trust policy is introduced to indicate and constrain and identify the type of trust that is being brokered. This specification also will define mechanisms for managing the trust relationships..."
- "Web Services Federation Language Provides Federated Identity Mapping Mechanisms." News story 2003-07-08.
- Liberty Alliance References:
- Announcement: "Liberty Alliance Outlines Framework to Support Federated Web Services. Blueprint for Secure Web Services Architecture Facilitates Connectivity Across Corporate Boundaries, Drives Business Opportunities Between Trusted Companies." [source]
- Liberty ID-WSF — a Web Services Framework. Liberty Alliance Report. May 2004.
- "Whitepaper: Benefits of Federated Identity to Government." March 2004.
- Liberty Identity Federation Framework (ID-FF) 1.2 Specifications
- Liberty-enabled products
- Liberty Alliance specifications
- Liberty Alliance members
- Organizational Structure of Liberty Alliance
- Liberty Alliance FAQ document
- Liberty Alliance web site
- Earlier Liberty news:
- "Liberty's Federated Identity Project Supported by Intel and Six New Global Alliances."
- "Liberty Publishes Federated Identity Documents on Mobile Deployments and Identity Theft"
- "Liberty Alliance Publishes Final Phase 2 Specifications and Previews Phase 3"
- "Liberty Alliance Publishes Business Requirements and Guidelines for Identity Federation"
- "Liberty Alliance Releases Phase 2 Specifications for Federated Network Identity"
- "Government Agencies Join Liberty Alliance to Support Digital Identity Standards"
- "Sun ONE Identity Server 6.0 Supports Liberty Alliance and SAML Specifications"
- "Liberty Alliance Releases Draft Version 1.1 Specifications for Public Review"
- "Liberty Alliance Specifications for Federated Network Identification and Authorization" - Main reference page.
- Security Assertion Markup Language (SAML) References:
- OASIS Security Services TC website
- SSTC List archives
- SAML FAQ document
- Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Technical Committee Draft. 11-May-2004. 19 pages. [PDF source]
- SAML Version 2.0 Scope and Work Items. OASIS Security Services TC. May 03, 2004.
- Earlier SAML news:
- "OASIS SAML Interoperability Event Demonstrates Single Sign-On at RSA Conference."
- "Successful SAML V1.1 Interop Lab at RSA2004 Conference."
- OASIS TC Approves Version 1.1 Specifications for Security Assertion Markup Language (SAML)."
- Sun ONE Identity Server 6.0 Supports Liberty Alliance and SAML Specifications."
- Security Assertion Markup Language (SAML) Version 1.0 an OASIS Open Standard."
- Burton Group's Catalyst Conference Features SAML Interoperability Event."
- "Security Assertion Markup Language (SAML)" - Main reference page.
- SourceID Project References: