Network Identity, Liberty Alliance and Identity Enabled Portals
I have been having this interesting conversation with the developer of JOSSO, an open source Single Sign On framework. The good news from JOSSO is that they can integrate with Pluto, potentially providing a great open source identity template for portal infrastructures.
Now what's Identity and how does it relate to portals ? After having worked a good year and a half with the Sun Identity Server (now called the Access Manager) team and almost a year now with the Sun Portal , here's what I think:
It all starts with the concept of a Digital Identity. Every networked application that we interact with today has some inbuilt way of recognizing us as well as storing information about us. Take yahoo messenger for instance. Yahoo messenger identifies me with my yahoo username and password and it stores information about my contacts, profile and privacy options. Now, the set of all such information that Yahoo knows about me can be called my digital identity with respect to Yahoo. Amazon,on the other hand, recognizes me with my email id and password and has information about all the cool stuff I've ordered. Everything Amazon knows about me is my digital identity with respect to Amazon.
Now, The problem with digital identity is that it is fragmented and application specific. My digital identity with respect to Yahoo is distinctly different from that with respect to Amazon.
Similarly, in the corporate network I might interact with a lab reservation tool and a servicedesk tool using two entirely different username/password combinations. And both these applications remember different things about me. Multiple digital identites again !
Enter Network Identity
The goal of a "Network Identity" is to consolidate all these multiple, fragmented digital identities into
one single identity for the whole network. A network identity would be designed to be application agnostic.
What this means is that I do not authenticate to one particular application in a network but rather to
the network itself. Once I authenticate to a network itself, I should be able to seamlessly access all applications on
that network without any further authentication. Alright, achieving this might not be as easy as it sounds but that's the idea of having a network identity.
An interesting consequence of having a Network Identity is that I can "Authenticate Once, Access Anything" or in other words Single Sign On (SSO) across applications in the network. The cool part of SSO is that I don't need to remember multiple usernames and passwords. But the real benefit of having a Network Identity goes much beyond not having to strain my memory cells.
A single point of Identification/Authentication for a user would also serve as a very effective single point for enforcing network-wide security policies. It means ease of management, lower maintenance cost and faster responsiveness to changes. When an employee quits for instance, the admin does not need to update all the hundred applications running on the network, just the one central point where employees authenticate to the network.
And then came the Liberty Alliance
The concept of a Network Identity becomes even more interesting when the network in question is the Internet itself. Is it possible to have an Internet-wide identity that can be shared by cooperating organizations? Can it be achieved without compromising privacy and security concerns?
The Liberty Alliance tries to answer these questions. It is a set of protocols that can enable Identity Federation. Federation (has got nothing to do with Star Trek whatsoever :) refers to the means by which Identity can be shared between cooperating organizations. Identity Federation opens up a lot of interesting possibilities.
But what does this have to do with portals?
The portal is the center of the network
Portals, in the meantime, have evolved as gateways into today's networks. I hit my.yahoo.com to check my mails, news, weather and stocks. I hit our internal portal for updates, announcements, search etc. Portals don't just
aggregate content and services, they provide customization, personalization,collaboration & search.
If there is one central point that needs to authenticate me to the network, then the portal is the most logical choice.
Portals need to hook to an Identity layer, not just provide to SSO into applications and services they
aggregate but also to help federate me with other portals and organizations.
And this is being increasingly realized by both open source players and commercial vendors.
As a developer with Sun I know for a fact that the Sun portal is built in such a way that it can completely leverage all the Access Manager functionality. JOSSO supports Pluto and perhaps going forward we can expect more. And interestingly, IBM joined the Liberty Alliance a couple of months back.
So if there is one thing you would want me to predict about the future of portals, I would say most of them will be Identity enabled. Let's wait and watch!!