A group representing some of the financial services industry’s heaviest
hitters Wednesday issued its opinion that the OASIS Security Assertion
Markup Language v1.0 (SAML) and Liberty Alliance Identity Federation
Framework v1.1 specifications are both suited to the needs of financial
institutions and open up new business opportunities.
The two technologies present opportunities to streamline and improve how
financial institutions authenticate their customers and employees, while
also providing “transparent and cohesive” access to internal and external
network resources, the report, “Identity Management in Financial Services,”
found.
Published by the Financial Services Technology Consortium (FSTC) — which
counts both vendors and financial services institutions like Bank of
America, Citigroup, Fidelity, JPMorgan Chase and Wells Fargo among its
members — the report found that the two technologies “hold special
promise” as well as some risk for the financial services industry.
“While both Liberty and SAML technologies provide much promise for our
industry, standards bodies and technology vendors still need to make it
easier for financial institutions to develop and deploy network identity
solutions,” said Jim Salters, director of technology initiatives and
project development at FSTC. “Interoperability and performance, for
example, are two areas of concern.”
FSTC based its results on an in-depth analysis of business and technology
requirements for three typical financial industry use cases: employee
single sign-on to enterprise partners, business-to-business single sign-on,
and business-to-consumer account aggregation.
Business to Employee to Partner
The consortium said the two technologies fit well with the employee to
enterprise partner scenario, which explored both employee access to a
401(k) plan and employee access to corporate travel services.
“In many ways, this is a B2B2E authentication chain, with the business
authenticating the employer (financial institution), which in turn
authenticates its employee,” the report said.
In this particular scenario either SAML 1.0 alone or Liberty 1.1 using SAML
would provide single sign-on, allowing employees to log into their
corporate portals and then utilize a 401(k) or travel site without having
to provide additional authentication credentials. Liberty would be required
to provide single log-out, since the capability is not provided for in
SAML. Liberty would also power ‘Authentication Context,’ which is the
ability of the service provider (i.e. the 401(k) or travel site) to make
access decisions based upon the type of authentication mechanism used to
authenticate the employee at the corporate portal.
Liberty 1.1 would also be required for actual federation, as it provides
the ability to link a user’s identity at a corporate portal with the user’s
identity at the service provider. Liberty accomplishes this through manual
user interaction. It doesn’t provide a bulk federation mechanism, though
the employer and service provider can customize them for a given deployment
of the specifications. Finally, Liberty provides for opt-out, or
‘defederation,’ providing the ability to terminate an existing link between
the user’s identity at the corporate portal and the service provider.
While it appears that SAML would be less of a fit than Liberty in B2E
scenarios based upon this, FSTC said that would be misleading. For
instance, SAML would be a good fit all on its own in scenarios based on
simple interactions or one-time transactions.
“Consider the case when an FI [Financial Institution] has outsourced to an
SP [Service Provider] the handling of employee discounts to a local
business,” the report said. “Since this type of transaction does not
require any time of follow up, the SP can simply fulfill the request based
upon the information in the SAML assertion and not retain any information
about the transaction or employee.”
But the report also noted that Liberty extends SAML for more complex
authentication infrastructures.
“With the federation model, Liberty does offer some important benefits to
protect the privacy of the user’s identity between service providers and
also allows the user some control over the linking that may or many not
occur as the result of being an employee,” the report said. “This can be
important in cases where the employer automatically federates the user’s
identity to enable single sign-on services, but allows the user to opt-out
in cases where the user does not wish to have this functionality. In our
case, it is easy to imagine a scenario where a user does not want her
401(k) account single sign-on enabled with her corporate portal account.
Liberty provides a mechanism to easily defederate or terminate this link.”
Business to Business
The B2B use case revolved around two examples: federated identity in an
affinity card supply chain, and federated identity in mobile financial
services.
“Within the credit card industry, specifically the proliferation of
affinity and co-branded cards, a financial data supply chain exists that
has direct application and a value-additive quality through the use of the
Liberty and SAML protocols,” the report said. “In an affinity card
environment, seemingly dissimilar business markets or those typically not
involved in a partnered data exchange have found that critical financial
and cardholder information must be exchanged.”
The report noted that, to date, the business problem has been how to
exchange this sensitive data between an affinity card sponsoring bank, the
branding entity and the merchant services processor while still providing
for security and privacy.
“Therefore, in a Liberty and SAML enabled affinity data passing
transaction, a solution can be applied that enables the related parties to
transfer data seamlessly, apply the appropriate security protocols, and
dramatically reduce the cost model for exchanging data by reducing
transaction complexity,” the report said.”
In mobile financial services, FSTC said the two protocols could help erase
the barrier to adoption for services like checking bank transactions and
balances, obtaining financial news and other relevant information,
executing purchases from online merchants, and so on.
“The barrier to adoption of the services the user values is the inability
to provide a means of access to services that considers the view of the
mobile user supply chain,” the report said. “Each mobile user has a unique
set of services he/she would like to utilize, but has no way to ‘federate,’
at the mobile user’s choice, his/her identity credentials across the set of
applications. Adoption of these services is impacted due to mobile users
spurning n+1 identity, authentication, and authorization processes for each
business entity providing one application service. The ability to provide a
federated set of credentials for a mobile user with a choice of when to
federate dramatically increases the potential adoption of mobile comment,
mobile commerce, and transaction-based services.”
B2C Account Aggregation
Finally, FSTC said SAML, and possibly Liberty, may have a role to play in
account aggregation, a new application that has been deployed at numerous
financial institutions to allow consumers and other end-users to view and
manage all of their accounts from a single location — even accounts
distributed across a variety of account types, financial instruments and
financial institutions. But in order to access this protected information,
the end-user typically shares credentials for each of their financial
institution Web accounts with an aggregator, which in turn uses those
credentials each time data is accessed from the financial institution. This
places a great deal of risk on the aggregator’s shoulders.
“To reduce risk in the aggregation space, there is great interest in
exploring alternate authentication solutions that do not require the
sharing of the authentication credentials with the aggregator,” the report
said. “The SAML specifications, and possibly the Liberty specifications,
provide potential tools for implementing such an alternative authentication
solution.”
While the report forecasts great potential for SAML in this space, it also
suggested a number of areas that need to be strengthened or addressed
before it is a truly viable solution. For instance, the report suggested
that an XML-based resource representation would be better suited to the
financial services industry’s needs that the current URI representation. It
also suggested expansion of the authorization delegation framework,
industry-specific vocabularies, and authentication information.
Additionally, the report said performance needs to be improved and support
for server-to-server interactions provided for.
Conclusions
In all, the report concluded that SAML and Liberty are excellent technical
starting points, but they are not enough on their own.
“While both specifications are strong technical foundations for building
network identity customer relationships, these technologies are only part
of a complete network identity solution,” said Zachary Tumin, FSTC
executive director. “Financial institutions must pay as much attention, if
not more, to traditional industry concerns such as risk exposure,
liability, auditing, customer support, and compliance issues. We expect our
findings to provide significant insights to FSTC members as well as
standards setting organizations and consortiums, such as OASIS and the
Liberty Alliance.”
The Liberty Alliance, shared those conclusions, and has already begun to
offer some answers. A day before the report was made public, the Liberty
Alliance issued the first in a planned series of documents dealing with
business issues associated with identity federation, including: mutual
confidence, risk management, liability assessment and compliance.