|Purpose||Industry standards group|
The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.
The group was originally conceived and named by Jeff Veis, at Sun Microsystems based in Menlo Park, California. The initiative's goal, which was personally promoted by Scott McNealy of Sun, was to unify technology, commercial and government organizations to create a standard for federated, identity-based Internet applications as an alternative to technology appearing in the marketplace controlled by a single entity such as Microsoft's Passport. Another Microsoft initiative, HailStorm, was renamed My Services but quietly shelved by April 2002. Sun positioned the group as independent, and Eric C. Dean of United Airlines became its president.
In July 2002, the alliance announced Liberty Identity Federation (ID-FF) 1.0. At that time, several member companies announced upcoming availability of Liberty-enabled products. Liberty Federation allowed consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. This federated approach did not require the user to re-authenticate and can support privacy controls established by the user. The Liberty Alliance released two more versions of the Identity Federation specification, and then in June 2003 contributed its federation specification, to OASIS, forming the foundation for Security Assertion Markup Language (SAML) 2.0. In 2007, industry analyst firm Gartner said it had wide acceptance.
Identity web services
Liberty Alliance releasing the Liberty Identity Web Services Framework in April 2004 for deploying and managing identity-based web services. Applications included geo-location, contact book, calendar, mobile messaging and People Service, for managing social applications such as bookmarks, blogs, calendars, photo sharing and instant messaging in a secure and privacy-respecting federated social network. In a 2008 marketing report recommended considering it for federation.
To grow the identity marketplace, the alliance introduced a certification program in 2003, designed to test commercial and open source products against published standards to assure base levels of interoperability between products. In 2007, the US General Services Administration began requiring this certification for participating in the US E-Authentication Identity Federation.
In January 2007, the alliance announced a project for open-source software developers building identity-based applications. OpenLiberty.org was a portal where developers can collaborate and access tools and information to develop applications based on alliance standards. In November 2008, OpenLiberty released an open source application programming interface called ArisID.
Identity governance framework
In February 2007 Oracle Corporation contributed the Identity Governance Framework to the alliance, which released the first version publicly in July 2007. The Identity Governance Framework defined how identity related information is used, stored, and propagated using protocols such as LDAP, Security Assertion Markup Language, WS-Trust, and ID-WSF.
Identity assurance framework
The Liberty Alliance began work on its identity assurance framework in 2008. The Identity Assurance Framework (IAF) detailed four identity assurance levels designed to link trusted identity-enabled enterprise, social networking and Web applications together based on business rules and security risks associated with each level. The four levels of assurance were outlined by a 2006 document from the US National Institute of Standards and Technology. The level of assurance provided is measured by the strength and rigor of the identity proofing process, the credential's strength, and the management processes the service provider applies to it. These four assurance levels were adopted by UK, Canada, and USA government services.
Privacy and policy
Management board members included AOL, British Telecom, Computer Associates (CA), Fidelity Investments, Intel, Internet Society (ISOC), Novell, Nippon Telegraph and Telephone (NTT), Oracle Corporation and Sun Microsystems.
Whether federation is desirable for Internet users is debatable given issues of scale. The introduction of Liberty Alliance was initially appealing to the alternative of a system dominated by one company. In practice it was fairly heavy in terms of legal agreements that kept usage primarily focused within Sun Microsystems and related companies that already had working business relationships. The Kantara Initiative took over some work of the Liberty Alliance, Concordia and others in 2009, with several people in the same roles in the new group. Sun was acquired by Oracle Corporation in January 2010 after several quarters of losses during the Great Recession. Veis became a vice president of marketing for Hewlett-Packard.
A common argument for federation involves the harmonization of various data silos for identity that normally emerges with every programmer keeping their own authentication mechanism for their application. These data silos are then resolved by enterprise architecture or systems that maintain authentication across a company. The US Government promoted a program called the National Strategy for Trusted Identities in Cyberspace starting in 2011.
Certainly within organizational boundaries, single sign-on is a useful tool because password maintenance is a significant help desk cost per user. When one begins to go between organizations the problems then become how does one effectively share data securely relying upon an assertion made from an external source? For the user of the system who chooses to use a federated authentication mechanism how much data will be consumed by the relying party?
For this reason, alternatives to federated identity exist by maintaining uniqueness within a given namespace.
This is already accepted at higher level of assurance (LOA 3) than is typically assigned to federated systems by the GSA Office of Governmentwide Policy. Examples are X.500 directories, X.509v3 digital certificates for authentication, and attribute certificates for authorization to replace the role of SAML in Web Services.
- "Jeff Veis: Vice President, Marketing, Protect Solutions, Autonomy" (PDF). Executive biography. Hewlett-Packard Company. Retrieved November 9, 2013.
- Andrew Orlowski (October 24, 2001). "Do Androids Dream of Electric Single Sign-Ons? Sun's Passport-killer six months away". The Register. Retrieved November 9, 2013.
- John Markoff (April 11, 2002). "Microsoft Has Quietly Shelved Its Internet 'Persona' Service". The New York Times. Retrieved November 9, 2013.
- Steve Lohr (April 1, 2002). "New Economy: In a shift in the technology business, customers are now the kingmakers". The New York Times. Retrieved November 9, 2013.
- "Industry Leaders Release Details Of Anticipated Liberty Alliance-Enabled Products" (Press release). Liberty Alliance. July 15, 2002. Retrieved November 8, 2013.
- Gregg Kreizman; John Pescatore; Ray Wagner (October 29, 2007). The U.S. Government's Adoption of SAML 2.0 Shows Wide Acceptance (Report). Gartner, Inc.
- Bob Blakley (October 2008). "Federated Identity". Burton Group.[dead link]
- "US GSA Requires Liberty Alliance Interoperability Testing as Public Sector SAML 2.0 Adoption Soars" (Press release). Liberty Alliance. October 29, 2007. Retrieved November 8, 2013.
- "Liberty Alliance Announces openLiberty Project" (Press release). Liberty Alliance. January 23, 2007. Retrieved November 8, 2013.
- "OpenLiberty.org Releases First Open Source Identity Governance Framework Software" (Press release). Liberty Alliance. November 19, 2008. Retrieved November 9, 2013.
- "Liberty Alliance and Oracle Team to Advance Identity Governance Framework" (Press release). Liberty Alliance. February 7, 2007. Retrieved November 9, 2013.
- "Industry Leaders Submit Identity Governance Framework to openLiberty.org for Development of Open Source Implementations" (Press release). Liberty Alliance. February 7, 2007. Retrieved November 9, 2013.
- William E. Burr; Donna F. Dodson; W. Timothy Polk (April 2006). Electronic Authentication Guideline (PDF). Special Publication 800-63 version 1.0.1 (Report) (US Institute of Standards and Technology). Retrieved November 9, 2013.
- "Concordia". Old web site. Archived from the original on October 5, 2011. Retrieved November 8, 2013.
- publishing business and policy "Papers". Promotional web site. Retrieved November 8, 2013.
- "Privacy Summits". Promotional web site. Retrieved November 8, 2013.
- Dave Kearns (June 23, 2009). "A look at the Kantara Initiative: Liberty Alliance is moving force behind new group". Network World Security Identity Management Alert. Retrieved November 10, 2013.
- "Administration Releases Strategy to Protect Online Consumers and Support Innovation and Fact Sheet on National Strategy for Trusted Identities in Cyberspace" (Press release). Office of the White House. April 15, 2011. Retrieved November 9, 2013.