Can a service-oriented architecture (SOA) approach to enterprise identity management provide interoperability between Liberty Alliance's SAML 2.0, Microsoft's Windows CardSpace and Verisign Inc.'s OpenID?
Roger Sullivan, president of the Liberty Alliance Management Board and vice president of identity management at Oracle Corp., believes the flexibility of the SOA approach will be the key to achieving goals such as single sign-on (SSO) across multiple systems.
Under the banner of the Concordia Project supporters and users of the SAML 2.0, CardSpace and OpenID identity specifications came together in June to listen to what enterprise customers need for interoperability. This week, Concordia announced plans for a second fact-finding meeting on Sept. 26, at the Digital Identity World (DIDW) conference in San Francisco.
Following that meeting Concordia is expected to have use cases and input from major enterprises including Boeing Corp., General Motors Corp. and Chevron Corp., as well as government agencies. The next step will be development of prototypes based on an SOA approach to identity management and interoperability.
"These enterprise are dealing with multiple silos of identity information," Sullivan said in explaining why he believes SOA will be the best approach. "They have a myriad of applications they need to grant access to and users who need access to the information. This includes internal employees, external partners, customers, consumers, customer advocacy groups and government agencies. The only way that is going to work going forward is if the industry advocates and builds a service-oriented architecture approach to identity information."
The Concordia Project recognizes that the three competing identity management systems are not going away.
"Assuming that all identity is going to be in one silo or that there will only ever be one method of authentication is a fallacy," Sullivan said. "Therefore vendors and customers alike need to focus on a standards-based middle tier environment that is in fact a service-oriented architecture for identity permissions and identity access management."
In a business world where mergers and acquisitions are common, companies constantly find that a newly acquired division has legacy systems with identity management that doesn't match the rest of the company, Sullivan said.
"Now in the died-and-gone-to-heaven environment there would be one single sign-on methodology, one protocol that everyone would use," he said, "but that's simply not reality. So you need to figure out a way to be flexible and to allow access through an SOA infrastructure, otherwise you're frankly doomed to failure. You're prevented from growing your organization because you are bound and restricted by legacy apps."
Sullivan envisions services could be deployed that would allow a user to sign on once to the corporate system and then gain access to information and systems they are entitled to view and use regardless of which security systems are guarding the data.
"The whole premise of Concordia has been that we are listening to what customers have to say," Sullivan said. "We in the standards creation community are listening to large deployers of these systems, who tend to be on the leading edge of deployment technology."
After the meeting this month to listen to more users and gather more use cases, Sullivan said he expects the project members will begin to work on prototypes of an SOA identity management system. Those prototypes may be ready for the next meeting of the Concordia Project, possibly at the RSA conference in 2008.