Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

W O R K S H O P

Making ID Management Manageable

August 7, 2003
By Lori MacVittie

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Opening Up
	At Liberty To Show Your Passport
	Step By Step
	Sites to See

Want to avoid an identity-management crisis? Build a federated-identity infrastructure, where a user's authenticated ID is shared across multiple domains or online businesses. The Liberty Alliance has created open standards for federating identities, paving the way for centralized identity management and single network sign-on. These standards also can help reduce the cost of managing your partners' and customers' ID information.

The Liberty Alliance, whose members include American Express, AOL Time Warner, General Motors and Sun Microsystems, develops standards for letting online businesses share a client's or customer's identity information. Later this year, the alliance plans to release a version of its federated ID model for Web services.

A federated ID model lets a user authenticate with one company or Web site, and get personalized content and services from any of the federated organizations in that "circle of trust." In other words, a financial services company and an online retailer, for instance, can share a customer's ID information during a transaction, rather than each having to store and manage separate credentials for each user account.

To really understand the Liberty Alliance's federated-security model, you first have to comprehend the alliance's jargon. A network identity is the conglomeration of your personal information--the bits and bytes that represent you in a myriad of databases scattered around the world. It can include your name, user name, phone number, Social Security number, medical records, and identifying numbers from your driver's license, passports and employee ID. It also may include personal preferences such as your airline seating habits, musical tastes, cell phones and wireless e-mail devices.

One Sign-On Fits All

With a federated network ID, a user's multiple network identities from different accounts--with an airline and a car-rental agency, for instance--are linked, not stored at one site. This is the beginning of the single sign-on paradigm for the Internet. An employee could book a flight with an airline and reserve a car with a rental agency without having to sign on and reauthenticate with the rental company site separately. This federated ID model offers business partners and employees more personalized online service, as well as more security and control over which personal information is used.

It works like employee provisioning and single sign-on systems, which reconcile disparate user names for an individual across various corporate systems. If a user authenticates as jsmith to the corporate domain, for example, but logs on to the HR system as John.Smith, a federated network recognizes that both IDs are tied to the same person. It can then log John Smith on to the HR system from the corporate domain automatically, and he doesn't have to log on to the HR system separately.

The Liberty Alliance's circle of trust is a group of two or more businesses or service providers--banks, online retail stores or financial services companies--that share network IDs. These organizations operate under specific business agreements that dictate how they use the identities and conduct business.

The business client or consumer determines which elements of his or her identity information are shared among service providers in a circle of trust. The Liberty Alliance recommends that you notify the user about which information you're collecting. The user should give his or her consent for the ID information being exchanged among the different online sites in a circle of trust.

This "opt-in" process requires that the user agree to share information from Site A with Site B (see "Step by Step," page 63). The user confirms the information-sharing agreement when he or she arrives at the second site (B). From that point on, he or she only has to log on to one of those sites. That simplifies things for the user, and lets a business offer its clients ease of use and personalization features.