Existing Identity Systems

From OpenLiberty.org Wiki
Jump to: navigation, search


Existing Identity Systems


Liberty Alliance

WS-* Protocols



Convergence Efforts

Liberty and WS-*

Microsoft's Windows CardSpace is already using SAML 1.1 tokens, a central asset of the Liberty identity infrastructure. While it remains unclear if Microsoft will be upgrading to SAML 2.0, there is hope in the industry that a revision of the core WS-* federation and identity protocols will incorporate new advancements in SAML.

Already, CardSpace is proving to be an authentication method that integrates easily with existing federated identity systems. For example, Martin Gee of ICSynergy announced in January 2007 the development of a CardSpace AuthModule for with Sun’s OpenSSO.

The hope that an even deeper integration of Liberty and CardSpace can be achieved was also expressed by Kim Cameron of Microsoft in a 2007 interview:

"[InfoCard] is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.
"Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol [sic], and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard."
Opportunity for convergence

The Liberty Alliance started an effort to facilitate further convergence of existing identity systems. The public forum for these efforts can be found on the Liberty web site.

Liberty and SAML

Liberty uses SAML (any version) as the identity token format. In fact, most IdM systems have converged on SAML as the token format so there is a lot of conceptual similarity between different IdM frameworks once you get one level above the protocol flows. For Liberty ID Web Services Framework (ID-WSF) the SAML token format is a central building block.

While earlier specifications from Liberty, such as ID-FF 1.2 (Identity Federation Framework), addressed Single Sign-On (SSO) use cases using SAML as the token format, the efforts to develop SSO protocol have converged and Liberty now endorses SAML 2.0 as a SSO layer that is interoperable with Liberty ID Web Services Framework (ID-WSF).

Liberty and OpenID

Protocol designers have been working on making the Liberty system and the emerging OpenID technologies more compatible and "integratable" since Oct 2006. The questions that need to be addressed include:

How to move from incompatibility (divergence)

  • to equivalence (mappings),
  • to compatibility (protocol gateways), and finally
  • to convergence (unified solution)?

There are multiple efforts already under way, including:

  • an OpenID-SAML Profile based on iSSO and Lightweight SSO specs, covering simultaneous attribute exchange
  • Bootstrapping from OpenID authentication into ID-WSF
  • SAML Authentication Context descriptors for OpenID "assertion quality"

Furthermore, there are more efforts being considered:

  • OpenID-based identity services, such as the People Service, and unified

open source implementations that make this exploration easier

OpenID and WS-*

During the RSA conference in February 2007 Microsoft announced a new strategy regarding OpenID. Some of the projects and efforts Microsoft is considering are:

  • Support in products for OpenID
  • Collaboration on use of CardSpace with OpenID


Open Source Projects

Here is a listing of the projects we know of and what they each say about themselves.

  • ZXID aims at full stack implementation of all federated identity management and identity web services protocols. It already supports SP and ID-WSF WSC roles, with other roles such as WSP and IdP to follow. See freshmeat.net/projects/zxid for announcements.
  • ZXID is light weight, has a small foot print, and is implemented in C. It is suitable for both high performance and embedded applications. Scripting languages are supported using SWIG, including Perl/mod_perl, PHP/mod_php, and Java (as JNI) on Tomcat. Platforms include all Linux/Unix systems as well as preliminary Windows support. The "full stack" nature of ZXID means it's self contained and has minimal external library dependencies.
  • Targeted Federated Identity Standards
    • SAML 2.0 (SP role 98% done)
    • SAML 1.1 (Assertion Consumer role 60% done)
    • Liberty ID-FF 1.2 (SP role 62% done)
    • WS-Federation 1.0 Basic Profile (Assertion Consumer role 40% done)
  • Targeted ID Web Services Standards
    • Liberty ID-WSF 2.0 (WSC role 95% done)
    • Liberty ID-WSF 1.1 (40% done)
    • General Web Services Security in SOAP messages (10%)
  • Lasso (Liberty Alliance Single Sign On) is a free software C library aiming to implement the Liberty Alliance standards; it defines processes for federated identities, single sign-on and related protocols. Lasso is built on top of libxml2 , XMLSec and OpenSSL and is licensed under the GNU General Public License (with an OpenSSL exception).
  • Lasso first focused on implementing the Liberty Alliance ID-FF 1.2 protocols. It now supports a good part of ID-WSF and SAML 2.0 support has also been completed.
  • SWIG is used to provide high-level bindings for other languages. Currently tested and distributed bindings are Python, Perl, Java and PHP as well as preliminary .NET assemblies (for C# and the .NET runtime environment).

Authentic is a Liberty-compliant identity provider aiming to address a broad range of needs, from simple to complex setups. Its Liberty compliance relies on Lasso, a free (GNU GPL) implementation of the Liberty Alliance specifications. It is a quixote application and is commonly runned inside Apache web server.

Source ID
  • Federated identity infrastructure enables cross-boundary single sign-on, dynamic user provisioning and identity attribute sharing. By providing for identity portability, identity federation affords end-users with increased simplicity and control over the movement of personal identity information while simultaneously enabling companies to extend their security perimeter to trusted partners. New identity federation standards provide companies with the foundation for securing their outsourced business processes, hosted applications and web services while simultaneously addressing a host of Sourceidoverview other security, management and integration challenges.
  • Coverage - SAML 1.1, Liberty ID-FF 1.1, Liberty ID-FF 1.2, WS-Federation
Sun OpenSSO
  • The Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers. This project is based on the code base of Sun JavaTM System Access Manager, a core identity infrastructure product offered by Sun Microsystems.
  • OpenSSO Extensions is an incubator for modules that build on the access control, single sign-on and federation technology in OpenSSO, but are not part of the core project. For example, currently there are developers working on an OpenID identity provider and a PHP client sdk.
  • OpenSSO is in use at the SSOCircle identity provider. Anyone can create an account at SSOCircle, upload service provider metadata and test their SAML 2.0 or OpenID service provider/relying party.
  • According to its charter: "[Higgins] is developing an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information." Although Higgins components can be used for creating IdP and SP (RPs) the main focus is on creating what the Higgins folks call an "Identity Agent" that runs locally or remotely and is accessed by a browser extension that must be installed. The Higgins framework plans support for CardSpace, OpenID and SAML/Liberty protocols and plans to overlay all of these with a consistent, graphical "card-based" user experience. Higgins is currently hosted at the Eclipse foundation and is one of the core projects of OSIS.
Heraldry Project
  • This is a proposal to create a project within the Apache Software Foundation to develop technologies around the emerging user-centric identity space. The project would utilize Yadis for URL/XRI-based service discovery and OpenID [2] for web based single-sign-on and the basis of exchanging profile data. Yadis is currently being standardized within OASIS as part of the XRI effort, within a TC committed to creating royalty-free work, and OpenID has emerged as a de-facto specification. The two initial components of the project, downloadable perspective, would be an Identity Provider application and libraries in various languages that implement Yadis and OpenID. The initial goal would be to both provide an out-of-the-box application as well as the required libraries for other developers to integrate Yadis and OpenID into their existing applications.
Bandit Project
  • Bandit is a set of loosely-coupled components that provide consistent identity services for Authentication, Authorization, and Auditing. The Bandit project creates a community that organizes and standardizes identity-related technologies in an open way, promoting both interoperability and collaboration.
  • Bandit implements open standard protocols and specifications such that identity services can be constructed, accessed, and integrated from multiple identity sources. Bandit components support many authentication methods and provide user-centric credential management. On this base of a common identity model, Bandit is building additional services needed for Role Based Access Control (RBAC) and for the emission of records to verify compliance with higher level policies.
  • The Shibboleth software provides a complete implementation of the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework built on top of OpenSAML. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the Attribute information being released to each Service Provider. Using Shibboleth-enabled access simplifies management of identity and access permissions for both Identity and Service Providers. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License.
  • OpenSAML 1.1 is an Apache-licensed open source toolkit for implementing solutions using the SAML 1.1 and 1.0 specifications. It is a production quality release available for Java (1.4 ) and C applications, and is built on various Apache-supported XML projects like Xerces and XML-Security.
  • OpenSAML 2.0 is in development, and will include support for the SAML 2.0 standard, as well as legacy support for SAML 1.1 and 1.0. The redesigned library includes a superset of the functionality in earlier versions, but will NOT be API-compatible with them. It will remain Apache-licensed.
Conor Cahill ID-WSF tools
  • Project Lightbulb brings federated identity to LAMP and MARS developers. Tools for interpreted languages such as PHP, Ruby and Python integrate with Sun's open source Java federation software.
  • PAPI is a SSO system able to provide federated access that has been under development by RedIRIS since 2001.
  • The system consists of two independent elements: the authentication server (AS): the IdP, and the point of access (PoA) the SP.
  • A PAPI AS is able to incorporate practically any kind of credentials: experiences range from plain username/password pairs to X.509 certs and Kerberos tickets, including complex environments with different credential sources.
  • PAPI supports two different kinds of PoAs: the GPoA (outer SP), providing interactions with the rest of the federation elements, and "plain" PoAs (inner SP), that provide actual access to the resources.
  • Currently, PAPI ASes, GPoAs and PoAs communicate using a proprietary, pre-SAML protocol, though there are implementations for ASes and GPoAs able to use the Shibboleth SAML profile.
  • PAPI PoA-GPoA structure allow for a simple (and pervasive) deployment of federated access control systems in heteregeneous environments. There are PoA implementations for Java (both javax.servlet.filter and JAAS), Perl and PHP, plus an attribute-aware HTTP/HTTPS proxy that can be used as last-resort solution for including legacy applications.
Map Graphic (in progress)

This is a dynamic mindmap of the open source projects we track and report on here. It is in development. If you use Safari, we apologize for the bug. For others, you should be able to interact with the Map right from within your browser.

This Map is built using Open Source Software called FreeMind. You can download a copy of FreeMind and edit this mindmap source file locally. If you make any changes locally please contribute your changes back to this page. If you just want a picture of the Map you can grab the Latest Version (PNG file).

Commercial Products

Windows CardSpace
NetMesh InfoGrid

Supports OpenID, LID, Yadis etc. Dual-licensed (open-source and commercial). See netmesh.org.


Liberty Alliance

Identity Commons

  • The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet, one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities. (from http://wiki.idcommons.net/moin.cgi/PurposeAndPrinciples)


  • OSIS brings together many identity-related open-source projects, and synchronizes and harmonizes the construction of an interoperable identity layer for the internet from open-source parts. Its first deliverable is interoperability with Microsoft's Windows CardSpace, although OSIS also encompasses alternate technologies such as OpenID and also Liberty.