Attempting to soothe enterprise headaches over identity management complexity, an emerging set of Web services-based standards and technologies are surfacing to offer a unified approach to managing diverse infrastructures.
Surfacing quickly on the horizon is the SAML (Security Assertion Markup Language) specification, due for a vote before the full membership of the Organization for the Advancement of Structured Information Standards (OASIS) in September.
SAML is designed to exchange defined authentication and authorization information between Web access management and security products, while leveraging Web services standards, including XML and SOAP (Simple Object Access Protocol), noted James Kobielus, senior analyst at The Burton Group Corp. in Midvale, Utah.
Because SAML assumes that the source and destination of delivered messages have already created registered identity accounts for users, the standard is paving the way for account provisioning vendors to propagate identities across distributed networks, Kobielus explained.
"Provisioning tools automatically create accounts on federated platforms, and then SAML will allow [messages] to do SSO [single sign-on] across the accounts on those federated platforms," Kobielus said. "SAML doesn't describe how to provision on those accounts."
The sheer volume of enterprise user accounts and distributed applications creates an inescapable "vortex," forcing customers to seek ways to cut costs while automating security and efficiency, said Pete Lindstrom, senior security strategies analyst at Framingham, Mass.-based Hurwitz Group Inc.
Automating the extended processes surrounding ID management and account provisioning can reap immediate rewards, from freeing up critical help-desk support to increased employee productivity and ROI, Lindstrom said.
"As we build up and pull ourselves out of this recession, we start to look at ways to do things smarter and not harder. We're all cutting through the bone in a lot of ways," Lindstrom said.
"[But] it's unclear to me how anyone does not have or is not looking to purchase some form of ID solution that gives you two primary components -- policy-based workflow and provisioning of accounts and follow-on attributes," Lindstrom added.
OASIS has a group working to define SPML (Service Provision Markup Language), but the SPML standard is nowhere near the maturation point of SAML.
A number of security vendors, including PKI (public key infrastructure) players and ID management providers focused on Web access management, will gather in mid-July at The Burton Group's annual Catalyst Conference to offer a public demonstration of the SAML 1.0 standard implementation within a Web browser profile.
According to Burton's Kobielus, the cross-enterprise Web SSO interoperability event will demonstrate two points. The first of which, Identity and Access Management Federation, will feature businesses incorporating different vendors' Web access management products to share, authenticate, attribute, and authorize information.
The second demonstration will offer browsers that authenticate at "portal" sites and then access Web resources managed under other federated content sites.
Participating vendors include Sun Microsystems Inc., IBM Corp./Tivoli Systems Inc., RSA Security Inc., Novell Inc., Baltimore Technologies PLC, Oblix Inc., Netegrity Inc., Crosslogix Inc., OverXeer, ePeople Inc., Sigaba Corp., and Entegrity Solutions Corp.
The standards activity builds on recent work by ID companies such as Courion Corp., which last week introduced AccountCourier 2.0, an upgraded version of its automated account provisioning and user ID management product.
New features built into AccountCourier include a RDK (Rapid Development Toolkit) to build provisioning connectors for third-party systems, customized in-house applications, or Web portals using Java, XML, Perl, or C++, said Tom Rose, vice president of product marketing at Framingham, Mass.-based Courion.
The new provisioning connectors also support Microsoft Exchange, Lotus Notes, HP-Unix, Sun Solaris, OS /390 ACF2, RSA ClearTrust, Netegrity SiteMinder, and Oblix Netpoint platforms, Rose said.
Other AccountCourier additions include Dynamic Communities, to connect and leverage existing identity stores; Adaptive Workflows, for policy automation; Human Resources Connectivity; and User Modeling, to create new user accounts through cloning procedures to shorten provision cycles.
Rose said customers are reluctant to embrace the Passport-oriented "clearinghouse" ID management message Microsoft Corp. is touting in its .Net platform.
"The feedback we hear from managing internal applications [is that] nobody wants to allow Microsoft to have all internal applications Passport-enabled," Rose said.
"Customers want to have control over authoritative users of internal data. We're tying into whatever data stores you have," Rose added.
Hurwitz's Lindstrom said Courion's history as a strong password-reset and synchronization player will leverage that portion of its existing install base that has already collected data useful for back-end account provisioning.
Meanwhile, other market players are stirring. Waveset Technologies Inc., an Austin, Texas-based competitor for the ID management provisioning space over which Courion, Access360, BMC Software Inc., and Business Layers Inc. are jostling, announced this month the launch of Waveset Lighthouse V2. The product allows IT organizations to offer authorized access without the step of manually granting each user access to a specific set of applications, said Waveset President Mark McClain.
BMC has also entered the fray, partnering with Oblix this month to announce Oblix IDLink. The product facilitates identity management between Oblix NetPoint and BMC's Control-SA software to provide a single management infrastructure for user access control and ID management provisioning.
SAML battle lines drawn
Vendors take sides over proposed Web services security standards.
Supporters
Web access management vendors such as Baltimore, Tivoli, Netegrity, Novell, RSA and Sun, which seek to improve ID security and managementWeb services middleware, security, and app vendors that are working with OASIS on specsVertical and industry groups such as the Liberty AllianceDetractorPrimary critic Microsoft has undertaken several countermeasures.
Pushing Kerberos and Passport as SSO alternativesAddressing federated ID and access management with Global XML Web Services Architecture, the WS-Security specification, and TrustBridgePlans to define a "WS-Federation" spec with IBM, among othersSOURCE: The Burton Group