Federated Networks: The Next Wave of Security

Have you heard about the upcoming federated networks? Two groups, the Liberty Alliance and the Web Services Interoperability Organization (WS-I), are developing the technology to let users better manage their credentials for cross-site authentication and network access between dissimilar topologies and protocols. The goal is to make single sign-on (SSO) easier by developing methods that let users authenticate once with the provider of their choice and gain subsequent access to other networks within a federation transparently.


Sun Microsystems launched the Liberty Alliance Project last September. The Liberty Alliance intends to "create an open, federated solution for network identity—enabling ubiquitous single sign on, decentralized authentication and open authorization from any device connected to the Internet, from traditional desktop computers and cellular phones through to TVs, automobiles, credit cards and point-of-sale terminals." The Liberty Alliance maintains that the development and adoption of such specifications would prevent various service providers from creating "Internet toll-booths."

"Without an open federated identity model for the Internet, there's risk that only a few companies and their preferred sets of partners will become firmly established as the service brokers of the Internet," said a Liberty Alliance spokesperson. "Companies will be charged to use services brokered through these Internet toll takers. Merchants and financial institutions will certainly pay for authentication and access to these profiles. In short, a company that is not a service broker will be charged for access to \[its\] own communities—communities built on the backs of \[its\] own shareholders and citizens."

The Liberty Alliance is developing an open specification and invites participation in the process. Various alliance membership levels are available to any organization. To date, more than 40 major companies participate in the organization, including American Express, Visa, MasterCard, Citigroup, AOL, General Motors, Sony, Cisco Systems, Hewlett-Packard (HP), United Airlines, Novell, RSA Security, Entrust, the Apache Software Foundation, and VeriSign. Phase I of the specification is due for release any time now, and the organization expects to announce the next development phases, including the time frames in which protocols for the specification will be made available.

In April, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security) with an accompanying specification. The specification defines a standard set of Simple Object Access Protocol (SOAP) extensions or message headers for exchanging secure, signed messages in a Web services environment. According to Microsoft, WS-Security is "designed to support XML Web services capable of seamlessly crossing organizational, network, application, database, and trust boundaries." The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), Security Assertion Markup Language (SAML), and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). The support "means that organizations can begin to build solutions on this foundation today, and do not need to throw away their current security infrastructure investments." Furthermore, WS-Security will let users directly federate Active Directories (ADs) over the Internet and let Windows .NET Server (Win.NET Server) accept Microsoft .NET Passport as a credential type when passports are mapped to an AD account.


Microsoft announced that it will release TrustBridge for Win.NET Server in 2003. TrustBridge will be built on WS-Security technology and will let Win.NET Server-based applications use credentials that non-Microsoft products that use WS-Security generate. For example, IBM will add WS-Security support to its middleware products. You can read the related news story in this newsletter for more information about TrustBridge. Use either the news story reference or the URL

Microsoft anticipates that "the proposed model and specifications that emerge (WS-Security) will be broadly available from multiple vendors and will be considered by appropriate standards organizations." In the meantime, the company also announced that .NET Passport would support WS-Security by 2003, and that it will add WS-Security to Visual Studio .NET and .NET Framework this year. The WS-I organization expects to see its members release a set of sample applications that demonstrate WS-Security interoperability this year.

WS-I boasts more than 1000 members, including notable heavyweights such as Intel, AT&T, Procter and Gamble, and Sabre. And although some companies such as HP and VeriSign have chosen to participate in both efforts, another industry leader, Sun, hasn't joined the WS-I organization. According to an InfoWorld Media Group report, Sun wants to participate, but only if it can have a seat on the board of directors with its competitors Microsoft and IBM in an effort to gain parity in decision making. To date, WS-I has declined to modify its current board, which isn't surprising given that Sun's Java competes with Microsoft's .NET Web services technology.

Federated networks promise to further change the way we manage privacy and authentication credentials. Be sure to keep an eye on the Liberty Alliance Project and WS-I's developments.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.