Liberty Alliance Details Identity Architecture

Moving to put its stamp on a standards-based method for federated network
identity, the Liberty Alliance
Tuesday unwrapped plans for a complete identity infrastructure.


The alliance published a white paper outlining the Liberty Alliance
Federated Network Identity Architecture, which the organization said is a
complete infrastructure that it hopes will resolve many of the technology
issues currently hindering deployment of identity-based Web services.

“We’re providing a clear view of not just where we’re at but where we’re
headed,” Simon Nicholson, chair of the Business Marketing Expert Group at
Liberty and manager of Industry Initiatives and Alliances at Sun
Microsystems , told internetnews.com. “This is a
blueprint for what we’re building.”

Michael Barrett, president of the Liberty Alliance management board and
vice president of Internet Technology Strategy at American Express, added,
“Federated network identity is more than just simplified sign-on, as
illustrated by our direction. Establishing and sharing your identity is
critical to any kind of reciprocal relationship. Just as you wouldn’t
typically begin a business relationship in the real world without an
introduction, you wouldn’t enter a business relationship in the online
world without establishing and proving your identity.”


Under the Liberty Alliance’s architecture, identity consists of traits,
attributes and preferences. Traits are issued by governments, like driver’s
licenses and passports, and companies, like employee status and intranet
sign-in information, as well as biometric characteristics. Attributes and
preferences are specified as characteristics associated with an individual,
like a person’s airline seating preferences, music preferences, purchasing
history or medical history. The Liberty Alliance said attributes and
preferences can go beyond individuals to include devices and processes. For
instance, they can define a type of device (phone, desktop or kiosk) and
its capabilities (text, HTML, audio, etc.).

Together, traits, attributes and preferences comprise an identity, and the
relationship between an individual and an entity determines which elements
of that identity should be shared. By establishing a federated network
identity that links various user identities together, Liberty Alliance
argues that identity control and privacy can be maintained while also
providing users with ease-of-use and rapid access.


“A federated network identity delivers the benefit of simplified sign-on to
users by granting rapid access to resources to which they have permission,
but it does not require the user’s personal information to be stored
centrally,” the white paper explained. “This increases security and
delivers better identity control. With a federated network identity
approach, users authenticate once and can retain control over how their
personal information and preferences are used by the service providers. A
federated network identity is also beneficial for businesses because it
allows them to more easily conduct business transactions with authenticated
employees, customers and p partners.”

Most early work on the creation of federated identities have occurred
within the enterprise, but the networks are beginning to form across
enterprises and Nicholson said he expects to see more forming in the coming
year. Liberty Alliance calls a group of service providers that share linked
identities and have business agreements in place a “circle of trust”.

According to Liberty Alliance, a circle of trust’s attribute sharing
policies are typically based on:

  • A well-defined business agreement between the service providers
  • Notification to the user of information being collected
  • The user granting consent for types of information collected
  • Recording both notice and consent in an auditable fashion, where
    appropriate.

Once identity is established, the actual architecture which enables
federated network identity management consists of a number of modules.

The first is the Liberty Identity Federation Framework (ID-FF), which is
responsible for identity federation and management. Nicholson stressed that
Liberty Alliance has focused on not invalidating existing identity
management investments, noting that ID-FF can be used on its own or in
conjunction with existing identity management systems.

“We’re not suggesting people throw away what they’ve already made,” he
said, adding that 14 of Liberty Alliance’s member companies already sell or
shortly will be selling identity management products. “It’s important to
preserve those investments.”

The ID-FF framework is designed to work with heterogeneous platforms and
with all sorts of network devices, from personal computers to mobile
phones, PDAs and emerging devices. ID-FF features include:

  • Opt-in Account Linking, which allows a user with multiple accounts at
    different Liberty-enabled sites to link the accounts for future
    authentication and sign-in at those sites

  • Simplified Sign-On, allowing a user to sign-on once at a Liberty ID-FF
    enabled site and to be seamlessly signed-on when navigating at another
    Liberty-enabled site without the need to authenticate again. Liberty
    Alliance said simplified single sign-on is supported both within and across
    circles of trust

  • Fundamental Session Management, enabling companies or organizations
    that link accounts to communicate the type of authentication that should be
    used when a user signs-on. It also enables global sign-out

  • Affiliations, which lets a user choose to federate within a group of
    affiliated sites

  • Anonymity, allowing a service to request certain attributes without
    needing to know the user’s identity

  • Protocol for the Real-time Discovery and Exchange of Meta Data,
    allowing the real-time exchange of meta data (such as X.509 certificates
    and service endpoints) between Liberty-compliant entities.

Liberty Alliance has already released ID-FF.

The second module includes industry standards such as SAML, HTTP, WSDL,
XML, etc. Nicholson explained, “We don’t want to reinvent stuff that
already exists.” Much of the schema behind Liberty Alliance’s architecture
depends on standards and specifications created within OASIS, W3C, and
IETF.

The third module, the Liberty Identity Web Services Framework (ID-WSF), is
a foundational layer that defines a framework for creating, discovering and
consuming identity services. Liberty Alliance said it will allow entities
to offer users personalized services. ID-WSF’s features include:

  • Permission Based Attribute Sharing, allowing companies or organizations
    to offer individualized services based on attributes and preferences that
    the user chooses to share

  • Identity Service Discovery, giving service providers to dynamically and
    securely discover a user’s identity services

  • Interaction Service, which details protocols and profiles for
    interactions that will allow services to obtain permission from a user to
    allow them to share data with requesting services

  • Security Profiles, which describes profiles and requirements for
    securing the discovery and use of identity services

  • Simple Object Access Protocol (SOAP) Binding, a SOAP-based invocation
    framework for identity services which defines SOAP Header blocks and
    processing rules

  • Extended Client Support, for enabling hosting of Liberty-enabled
    identity based services on devices without requiring HTTP servers or being
    addressable from the Internet

  • Identity Services Templates, which provide the building blocks for
    implementing an identity service on top of the ID-WSF.

Liberty Alliance expects to release ID-WSF in mid-2003.

Finally, the fourth module, Liberty Identity Services Interfaces
Specifications (ID-SIS), are a collection of specifications for
interoperable services built on top of ID-WSF. Planned for release in the
2003-2004 timeframe, services utilizing ID-SIS may include registration,
contact book, calendar, geo-location, presence or alerts. Liberty Alliance
said these independent services will be made interoperable through
implementing Liberty protocols for each specific service.

The first ID-SIS Liberty Alliance plans to make available will be the
Personal Profile Identity Service (ID-Personal Profile), which will define
schemas for basic profile information of a user, including name, legal
identity, legal domicile, home and work addresses. It can also include
phone numbers, e-mail addresses and some demographic information, public
key details, and other online contact information. Liberty Alliance
explained that by providing organizations with a standard set of attribute
fields and expected values, it hopes to create a dictionary or common
language which will allow them to speak to each other and offer
interoperable services.

News Around the Web