IBM, Microsoft publish Web services identity spec

IBM Corp. and Microsoft Corp. recently published the fifth of an eventual seven specifications that will work in unison to help corporations deploy secure and interoperable Web services.

The new WS-Federation specification is designed to standardize the way companies share user and machine identities among disparate authentication and authorization systems spread across corporate boundaries. RSA Security Inc., BEA Systems Inc. and VeriSign Inc. helped the two vendors develop the specification.

WS-Federation is the latest milestone in a roadmap IBM and Microsoft unveiled in April 2002 that introduced WS-Security as a foundation security protocol and six supporting protocols for building a Web services security framework. The two vendors along with 15 partners submitted WS-Security to the Organization for the Advancement of Structured Information Standards (OASIS) in September 2002 and have since published other specifications called for in the roadmap: WS-Policy, WS-Trust and WS-SecureConversation.

WS-Federation is the fifth published specification of the seven security protocols described in the roadmap. The last two, WS-Privacy and WS-Authorization, are due by the end of the year, according to IBM officials.

The WS-Federation specification has three functional parts, including the Web Services Federation Language, which defines how different security realms broker identities, user attributes and authentication between Web services. The WS-Federation specification also includes Passive Requestor Profile, which describes how federation helps provide identity services to Web browsers and Web-enabled cell phones and devices; and Active Requestor Profile, which does the same for applications based on the Simple Object Access Protocol (SOAP) and other smart clients.

“These specifications spell out how companies with different security solutions and different trust domains can successfully interoperate,” says Karla Norsworthy, director of dynamic e-business technologies for IBM. “These specifications allow individual companies to integrate business processes – without requiring them to convert to common security solutions or implement elaborate administrative solutions.”

IBM and Microsoft on Wednesday will present an interoperability demonstration using WS-Federation at this week’s Burton Group Catalyst Conference in San Francisco. The demonstration will knit together an IBM identity platform including IBM’s Tivoli Access Manager, IBM Directory Server and IBM WebSphere Portal – all running on Linux with a Microsoft-centric identity platform, including Active Directory, BizTalk Server and .Net Framework.

“We also will show how identity systems can be federated in a reliable way,” says Arvind Krishna, vice president of security products for IBM.

The WS-Federation specification is now available on IBM’s developer Works Web site. IBM and Microsoft hope to collect feedback from end users and independent software developers before eventually submitting the protocol to a standards body. The two said the process would follow a similar path as WS-Security, which went from published specification to OASIS submission in five months.

IBM believes the WS-Security specifications, including WS-Federation, are beginning to line up with work being done by the Liberty Alliance, which is focused on creating a framework for federated identity management.

The Liberty Alliance and the IBM/Microsoft juggernaut, however, remain on separate development paths, although the Liberty Alliance has incorporated WS-Security into its second-generation specification.

Experts say Liberty and IBM/Microsoft need to combine forces at some point to create a single identity management framework. Neither IBM nor Microsoft are members of the Liberty Alliance.