Liberty Alliance publishes Phase 2 specs

Industry consortium The Liberty Alliance Project published the final version of its Phase 2 specifications Wednesday and named five companies that will be releasing identity management products that support the new standards.

The Phase 2 Liberty Identity Federation Framework finalizes a draft standards document that was released in April and are intended to make Web services easier to deploy and ensure that they comply with laws for securing privileged user information.

Web services allow businesses and business applications to use open technology standards such as XML and SOAP to communicate and share information with each other and with customers over corporate intranets or the Internet.

Phase 2 builds upon standards laid out in Phase 1 for sharing user authentication information such as user names and passwords among organizations. They add guidelines for sharing other user attributes in addition to authentication information, according to Sai Allavarpu, group business manager for network identity services at Sun Microsystems Inc., a founding member of The Liberty Alliance.

The new standards will make it possible to link user accounts at two or more organizations that are exchanging information in a Web services transaction, sharing data such as billing information, credit card numbers and shipping information. That will make “mainstream” Web services deployments possible, where they were not with just the Phase 1 specifications, Allavarpu said.

“Phase 2 bakes privacy into the (Web services) architecture. When you share data with businesses you can decide what kinds of conditions and controls you want to place on that data,” he said.

Also, the Phase 2 specifications introduce new features such as a “resource owner interaction service” that will allow users to be contacted on mobile devices such as cellular telephones and confirm requests to share their user information, he said.

For example, a book ordered on Inc.’s Web site might generate a request from FedEx Corp., sent to the user’s cellular telephone or mobile device, to allow FedEx to share the shipping address with Amazon, Allavarpu said.

Those kinds of services may be particularly attractive to telecommunications companies, which are eager to expand the number of premium services they can offer their phone customers, but which also must contend with privacy regulations that restrict the sharing of customer information, according to Dan Blum, an analyst at Burton Group.

With a robust identity framework that also allowed companies to securely exchange useful information about user demographics and preferences, telecommunications companies will find it easier to market and sell new services such as games, restaurant recommendations and applications, Blum said.

Vodafone Group PLC plans to use Liberty Phase 1 and Phase 2 standards in its intranet and commercial service platforms. Vodafone platform releases in 2004 and 2005 will include the specifications, according to Liberty.

Also, Sun said that a version of the Java System Identity Server due out in early 2004 will also support Phase 2 specifications. A beta version of Identity Server that supports the Phase 2 specifications is currently available for Sun customers to test.

Formerly known as Sun ONE Identity Server, the Java System Identity Server integrates features such as directory services, access management, user management, single sign-on and user self service, in addition to federated identity using The Liberty Alliance Phase 2 specifications, he said.

The new version of Identity Server is designed to reduce the custom software integration customers need to perform when deploying identity and access management systems based on the Liberty specifications. The product will also support delivery and authentication from mobile devices, including features for detecting the type of mobile device being used and formatting Web content to fit the device’s screen and resolution requirements, Allavarpu said.

Also on Wednesday, Liberty published a “Privacy and Security Best Practices” document on its Web site. The document is intended to help companies navigate the tricky legal waters regarding information practices worldwide. The document includes Liberty Alliance security and privacy recommendations as well as information on addressing common Internet network vulnerabilities.

The Liberty Alliance is not the only industry group working on Web services identity-information issues. IBM Corp. and Microsoft Corp. in July published a competing identity management framework, Web Services Federation Language, or WS-Federation.

The Liberty Alliance has a good lead on IBM and Microsoft, but the various standards, including efforts by the Organization for the Advancement of Structured Information Standards, will need to converge at some point in the future as Web services deployments become more widespread and complex, Blum said.

With the growth in Web services implementations, companies are beginning to look more seriously at using technologies like Security Assertion Markup Language (SAML), an XML-based authentication framework, and at the Liberty Alliance specifications, Blum said.

Interest from financial services companies that want to securely exchange information on borrowers, in addition to telecommunication companies, could spur more Web services deployments in coming months, he said.

However, widespread enterprise adoption of the Liberty Specifications may take months.

“There’s increasing interest, but enterprises that are trying to use this stuff are still early adopters,” Blum said.

Implementations of the Liberty specifications still require a considerable amount of customization to make the specifications work with business applications and partners, he said.

“You still have to pay to play,” Blum said.