Navaneeth Krishnan's Blog

Network Identity, Liberty Alliance and Identity Enabled Portals

I have been having this interesting conversation with the developer of JOSSO, an open source Single Sign On framework. The good news from JOSSO is that they can integrate with Pluto, potentially providing a great open source identity template for portal infrastructures.

Now what's Identity and how does it relate to portals ? After having worked a good year and a half with the Sun Identity Server (now called the Access Manager) team and almost a year now with the Sun Portal , here's what I think:

Digital Identity

It all starts with the concept of a Digital Identity. Every networked application that we interact with today has some inbuilt way of recognizing us as well as storing information about us. Take yahoo messenger for instance. Yahoo messenger identifies me with my yahoo username and password and it stores information about my contacts, profile and privacy options. Now, the set of all such information that Yahoo knows about me can be called my digital identity with respect to Yahoo. Amazon,on the other hand, recognizes me with my email id and password and has information about all the cool stuff I've ordered. Everything Amazon knows about me is my digital identity with respect to Amazon.

Now, The problem with digital identity is that it is fragmented and application specific. My digital identity with respect to Yahoo is distinctly different from that with respect to Amazon.

Similarly, in the corporate network I might interact with a lab reservation tool and a servicedesk tool using two entirely different username/password combinations. And both these applications remember different things about me. Multiple digital identites again !

Enter Network Identity

The goal of a "Network Identity" is to consolidate all these multiple, fragmented digital identities into one single identity for the whole network. A network identity would be designed to be application agnostic. What this means is that I do not authenticate to one particular application in a network but rather to the network itself. Once I authenticate to a network itself, I should be able to seamlessly access all applications on that network without any further authentication. Alright, achieving this might not be as easy as it sounds but that's the idea of having a network identity.

An interesting consequence of having a Network Identity is that I can "Authenticate Once, Access Anything" or in other words Single Sign On (SSO) across applications in the network. The cool part of SSO is that I don't need to remember multiple usernames and passwords. But the real benefit of having a Network Identity goes much beyond not having to strain my memory cells.

A single point of Identification/Authentication for a user would also serve as a very effective single point for enforcing network-wide security policies. It means ease of management, lower maintenance cost and faster responsiveness to changes. When an employee quits for instance, the admin does not need to update all the hundred applications running on the network, just the one central point where employees authenticate to the network.

And then came the Liberty Alliance

The concept of a Network Identity becomes even more interesting when the network in question is the Internet itself. Is it possible to have an Internet-wide identity that can be shared by cooperating organizations? Can it be achieved without compromising privacy and security concerns?

The Liberty Alliance tries to answer these questions. It is a set of protocols that can enable Identity Federation. Federation (has got nothing to do with Star Trek whatsoever :) refers to the means by which Identity can be shared between cooperating organizations. Identity Federation opens up a lot of interesting possibilities.

But what does this have to do with portals?

The portal is the center of the network

Portals, in the meantime, have evolved as gateways into today's networks. I hit my.yahoo.com to check my mails, news, weather and stocks. I hit our internal portal for updates, announcements, search etc. Portals don't just aggregate content and services, they provide customization, personalization,collaboration & search. If there is one central point that needs to authenticate me to the network, then the portal is the most logical choice. Portals need to hook to an Identity layer, not just provide to SSO into applications and services they aggregate but also to help federate me with other portals and organizations.

And this is being increasingly realized by both open source players and commercial vendors. As a developer with Sun I know for a fact that the Sun portal is built in such a way that it can completely leverage all the Access Manager functionality. JOSSO supports Pluto and perhaps going forward we can expect more. And interestingly, IBM joined the Liberty Alliance a couple of months back.

So if there is one thing you would want me to predict about the future of portals, I would say most of them will be Identity enabled. Let's wait and watch!!

Comments

• As long as java.net and java.sun.com are too disparate to federate, the future of this technology seems a long way off.

  Posted by: coxcu on December 10, 2004 at 01:39 PM

• My two cents worth.

  From past experience the obstacles to digital and network identity SSO can be fairly high in terms of infrastructure and personnel costs but those costs are generally paid because productivity loss is generally much more expensive. The idea of an inter-company federated identity opens up a whole new world of issues political, legal, and cultural in the corporate landscape for what seems very little gain. Just from a corporate employee data perspective, it is often difficult enough to get internal system developers to give up "control" of their identity management in favor of internal federation and SSO. Attempting to extend that id beyond the corporate ramparts could be viewed as an exercise in futility due to security and privacy issues.

  By the same token the common user of corporate services has the same concerns over the storage and use of their information. Only in that case the consumer has an impressive voting mechanism to voice their opinion, they can refuse to utilize corporate services from companies they deem careless with their data. More often than not that translates to lost revenue and the fear alone of a customer boycott is a stumbling block to cross company identity federation. Corporate reputation and trust are just too delicate and fragile for executives to play fast and loose with customer data. An incident of identity mismanagement is a stock sell-off in the making.

  Beyond the perception and trust issues lay the realms of the legal and federated identities have some interesting global legal issues surrounding them. A major case in point is the controversial EU Directive 95 which forbids any transfer of personal data outside the EU to countries that do not guarantee or do not have in place adequate safeguards for that data. For all intents and purposes, personal data can be construed as something as seemingly innocuous as a name. Many countries privacy laws, including the United States, are not stringent enough to fully comply with EU standards and failure to comply can mean fines or even sanctions denying the right to do business in EU countries.

  A final note. Despite the fact that the Liberty Alliance has produced an excellent architecture and protocol for federation, there is no guarantee that company integrators will implement the technology correctly or with all due diligence. Many companies seem to adhere to the letter of the customer-company trust agreement and violate its spirit when it is convenient and more profitable to do so. It will be interesting to see how the inevitable breaks with customer trust, whether intentional or not, affect the overall acceptance of identity federation.

  To overcome all of these hurdles, I believe corporate and more importantly consumer acceptance of the technology will take considerable time and promotion.
  

  Posted by: mjtrefethen on December 14, 2004 at 06:27 PM

• Hi,

  I am looking for a framework like struts for the Portal.
  IBM is going to desupport struts portlet framework in
  Websphere Portal 5.1. We are looking for some alternative.
  Can somebody help me out on this?

  Regards,
  Thiru

  Posted by: thirumalai on December 16, 2004 at 12:40 PM

• Alongside "Liberty Alliance" exists a parallel in the academic world the "Shibboleth" from Internet2 group (http://shibboleth.internet2.edu/). The SWITCH (www.switch.ch), Swiss Education and Research Network, has a large implementation of Shibboleth, in the form of AAI (Authentication and Authorization Infrastructure).

  Posted by: ramakrishnank on January 12, 2005 at 05:00 AM

This work is licensed under a Creative Commons License.