IBM Expands Federated Identity Effort

There was a time when users’ identity information was siloed within enterprises, shared only with explicitly defined partners.

With the emergence of broad-based authentication schemes like OpenID and Windows CardSpace, those silos are breaking down today, while the need for a more expansive, enterprise-grade mechanism for managing identity federation has become paramount.

That’s where the new release of IBM’s Tivoli Federated Identity Manager
(FIM) comes into play. The FIM release expands IBM’s efforts in the enterprise identity management space, which is becoming increasingly competitive with offerings from HP, CA and Oracle.

“Users want to participate in federation where you have one identity that you can use in multiple sites,” Tony Nadalin, chief security architect at IBM Tivoli Software, told “We’ve seen this take off with blogging and social networking sites and what we’re doing is bringing these options to the plate for companies. It broadens the federation into the consumer space even more.”

The new release of FIM expands IBM’s ability to manage federated identity by enabling integration with OpenID, Microsoft’s (NASDAQ: MSFT) Windows CardSpace and Eclipse’s Higgins Identity Frameworks.

The effort also seeks to help cope with the varying authentication models currently in use today. There’s first-party authentication, under which users self-register their own username and password with a site like eBay or Amazon — with those sites effectively trusting the user.

Then, there are second-party identity management systems, such as a corporate e-mail directory that provides authentication and identity. Lastly, there are the third-party, independent identity providers.

The key to federation — and single sign-on across sites and services, such as the kind enabled through FIM — is ensuring identity providers are trusted and their information managed properly.

“You have a single identity and you’re looking for other sites to accept the fact that the identity came from a well-known source,” Nadalin said.

One such source of identity could also be IBM Tivoli Identity Manager (TIM), which was recently updated as well. While FIM handles the federation of identity, enterprises still need a mechanism to update user information and manage the lifecycle for identities.

IBM originally introduced the first version of its FIM product in 2006. The new version of the product reflects the changing face of user demand, according to Nadalin.

“We’ve seen an increase in people wanting security as services,” Nadalin said. “People are looking to have identity and authorization as a service. This gives the infrastructure and ability to create identity provider and authentication types of services that we couldn’t traditionally create with our traditional set of software.”

While FIM has now expanded to include a broader set of federated identity sources, IBM still has some work ahead of it to ensure FIM provides better integration for network sources of identity like RADIUS and network access control (NAC).

“That is work in progress and it’s not part of this particular release, but you can today use Radius as a secondary mechanism measure,” Nadalin said. “You’ll see some of that come along after this release, which is focused on broadening federation scope.”

News Around the Web