Last week the industry got down to work on the evolution of federation.
Broad federations. B-to-C and G-to-C. Federations of federations to be exact.
The Burton Group hosted the first-ever open identity for business interop. It was a test that spanned multi-provider, multi-protocol and included multiple levels of assurance. The interop was built on profiles for
SAML,
OpenID and IMI (info.card) developed by the
Identity, Credential and Access Management (ICAM) subcommittee of the U.S. CIO Council.
The goal is to enable the industry to build federations over a broad spectrum using government standards as a baseline. On display was interoperability among published ICAM profiles for OpenID and IMI (info.cards), and the soon-to-be-published ICAM SAML profile.
“The government is saying these are mature enough for government use,” said Drummond Reed, executive director of both the
Open Identity Exchange (OIX) and the I
nformation Card Foundation. “That is an important statement for how ready these are for large scale usage. And the government is also judging what level of assurance the technology and the protocols are ready for.”
From a high level, the goal is to certify identity providers to issue identities that grade out at varying levels of assurance for use in business-to-consumer and government-to-consumer interactions.<more/>
Today, Google, Yahoo, PayPal, Equifax and VeriSign are among certified identity providers (IDPs), but only at Level of Assurance (LOA) 1, which is defined as “little or no confidence in the asserted identity’s validity.”
But the type of infrastructure desired -- trusted providers, graded assurance, policies and trust frameworks (such as the Open Identity Trust Framework Model shown below) – would open the floodgates for identity to be plugged in everywhere on the Internet with levels of assurance up to LOA 4 (very high confidence in the asserted identity’s validity.)
Yes, it would be a huge step forward. But not before some hard work gets done.
“The hard part is the business agreements between the (identity) providers and the relying parties (RP),” said Ian Glazer, an analyst with Gartner/Burton. “Making sure the pipes fit together; not hard at all.”
I have been hinting over the past months that Ping is already engineering support for emerging protocols, such as OpenID. Ping’s participation in the interop is evidence of how that work is progressing, and how those with SAML-based infrastructures will incorporate evolutions in identity.
Federations for business-to-business are being done today – Ping is one company making that possible – but the business-to-consumer space has unique challenges.
“Issues come up with aligning metadata and policies across large scale federations,” said Mike Jones, a board member of the OpenID Foundation and director of identity partnerships at Microsoft.
"Questions center on just getting metadata into a federation database, vetting that information and determining all the information needed has actually been captured,” says John Bradley, federation interoperability working group chairman at
Kantara. “IDPs and RPs have to figure out how to dynamically configure with someone that they are not negotiating with out of band,” he says.
Attribute management is another huge consideration. “We still have lots of work to do on how to use and manage attributes in this trust environment. There are lots of voices screaming lots of options,” said Peter Alterman senior advisor for strategic initiatives at the National Institutes of Health (NIH).
Another issue is the Secure Hash Algorithm (SHA), which the government wants graded at 256. Today, most implementations in federation software are at 1. It’s a relatively easy update for vendors to make, but end-user demand is not yet there, says Glazer. SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.
Last week at the Burton interop, a collection of thought leaders worked through the issues because they know big problems are the most fun to solve.
Ping’s Pam Dingle built a demo showing a user logging into a health-care site with an OpenID and then, via Ping Federate in the background, upgrading to a SAML-based token with a higher level of assurance to enroll in a clinical trial.
Microsoft showed a user with a PayPal ID signing up for a medical device trial using OpenID and WS-Federation behind the scenes.
In addition, OIX announced it formed the
U.S. ICAM Trust Framework Working Group with the hope of extending its existing framework to LOA 2 and 3 statuses. According to OIX’s Reed, the biggest problem will be the business model . “How do you have a successful federal model with money flowing through it,” says Reed.
Ping CTO Patrick Harding said the interop was “where open identity standards meet levels of assurance in the real world.” Harding said what will develop out of this work is a grading system for IDPs so relying parties will know what levels of assurance IDPs support.
The expectation is that “this will be the equivalent of the certification practice statements on PKI from 15 years ago. This is the moral equivalent for federated SSO 15 years later.”
.jpg)
