Latest SAML 2.0 Tech Pushes Federation Interop

The SAML 2.0 interop products list continues to grow, from big names and less familiar ones. IBM, NEC, RSA Security and NTT this week passed Liberty Alliance's SAML 2.0 interop testing. But, Ping Identity, a smaller federation firm also shipping this week with an intelligent approach to config consoles. IDN looks at how SAML 2.0 will help all-sized vendors and users converge their security between Liberty, SAML and Shibboleth.

Tags: Federation, SAML, Security, Identity Manager, Liberty, Configuration, Standard,

The SAML 2.0 federated security interop products for cross-paltform single sign-on list continues to grow -- thanks to big names and less familiar ones.

IBM, NEC, RSA Security and NTT this week passed Liberty Alliance's SAML 2.0 interop testing. But, Ping Identity, a smaller federation firm also shipping this week with an intelligent approach to config consoles. IDN looks at how SAML 2.0 will help all-sized vendors and users converge their security between Liberty, SAML and Shibboleth.

[SAML 2.0 compliance between these SAML-based converging specs and WS-Federation from the WS-I]

In this article, IDN provides:

  1. SAML 2.0 update (below); and
  2. Insights from Ping Identity, a small federation firm delivering its SAML 2.0 offering which represents a next-wave in easy-to-configure cross-platform identity for J2EE, .NET, web services and even emote web apps. (bottom)
Inside The Big Guys' Latest Liberty-complaint Offerings
"Liberty's Interoperable Program is about creating a global ecosystem of identity solutions that have been proven to work together in an open federated network environment,", chair of the Liberty Alliance conformance program Roger Sullivan said in a statement. (Sullivan is also vice president of business development for Oracle Corp.'s Identity Management unit.).

To meet Liberty's requirements for interoperability, vendors must provide solutions that will deploy quickly and immediately interoperate with other Liberty-enabled identity solutions. The latest vendors passed tests conducted in a Liberty event in Tokyo, Japan, Nov. 7-11, 2005.

IBM - IBM Tivoli Federated Identity Manager (FIM) provides a simple, loosely-coupled model for managing identity and access to resources that span companies or security domains. Rather than replicate identity and security administration at both companies, IBM Tivoli Federated Identity Manager provides a simple model for managing identities and providing them with access to information and services in a trusted fashion.

To support SOA, web services, FIM provides policy-based integrated security management for federated web services. The foundation of FIM is trust, integrity, and privacy of data. Through this foundation of trust, integrity, and privacy, organizations can share identity and policy data about users and services versus replication identities and security policies locally. The sharing of trusted identities and policies is the key to delivering a richer experience for users navigating between federation sites.

A federated model simplifies administration and enables companies to extend identity and access management to third-party users and third-party services. IBM Tivoli Federated Identity Manager (FIM) provides its rich federation functionality by supporting a number of standards and specifications including SAML, Liberty ID-FF, WS-Security, WS-Trust, WS-Federation, WS-Provisioning, XML Digital Signature and XML Encryption.

NEC - Liberty-Enabled Proxy (LEP) MODULE is a functional component of NEC Mobile Internet Platform (NEMIP). The LEP MODULE complies with Liberty ID-FF 1.2 LECP standard and manages the operations of Proxy, User Agent, Identity Provider and Service Provider in accordance with the Liberty-Enabled Client/ Proxy profile. This component also complies with SAML 2.0 ECP standard. With the LEP Module, NEC Mobile Internet Platform (which completes management of user information, content & services information, agent charging & billing, and flexible support for new features as the platform grows), can successfully provide ideal management services to mobile operators.

RSA Security - RSA® Federated Identity Manager enables businesses to easily and securely share trusted identities between autonomous business units and with customers and partners. A standalone, standards-based solution that is ideal for heterogeneous environments and delivers tight integration with RSA SecurID two-factor authentication technology, RSA Federated Identity Manager offers greater collaboration and revenue-generation opportunities for organizations, and increases end-user convenience and productivity through seamless federated single sign-on to partner sites.

NTT - NTT's identity information sharing module (I-dLive) is an identity federation platform for subscribers of new broadband network services provided by NTT group companies. This module has achieved certification for SAML 2.0 OASIS Standard, ID-WSF 1.0, ID-FF 1.2 and ID-FF 1.1.

Click here for a list of all products and services that have passed Liberty Alliance tests.

Inside Ping Identity's User-Friendly Federation
For its part, Ping Identity Corp. (Denver, Colo.) is shipping PingFederate v3, an upgrade to its identity federation server. PingFederate v3 was built from the ground up to provide best-in-class SAML 2.0 functionality - ranging from acquire, install, learn, configure, integrate, and deployment, execs said. In addition to handling SSO (Single Sing-on), PingFederate v3 will also enable single sign-off.

"Many of our customers want to federate their identity services between new architectures, such as SOA, and their legacy systems. But even with SAML 2.0 compliance, it can be very difficult to configure [cross-platform] security correctly," Mike Donaldson, Ping Identity's vice president of marketing told IDN. "We've abstracted a lot of that complexity in PingFederate."

PingFederate v3 brings a wide variety of out-of-the-box support for cross-platform SSO federation, including J2EE app servers, .NET, internal web services and even off-site web applications (such as Moreover, PingFederate v3 adds configuration intelligence (which drives the creation of a template-based wizard-like interface which enables those technicians not fully acquainted with all platforms to still configure, test and deploy end-to-end federated solutions across all systems.

Inside PingFederate's Use Case-Driven Configuration
One of PingFederate v3's key features are its "Use Case-Driven Configuration" templates. "We have taken Best Practices, so to speak, for how customers can best implement SAML 2.0 to federate identity solutions end-to-end, and then put that intelligence into our console," Donaldson said.

As a result, PingFederate's Use Case templates power an intelligent configuration console that will walk first-time and experienced federation administrators through an entire end-to-end configuration process.

With Use Case-Driven Configuration, an admin needs only to provide three (3) piece of information: role (identity provider, service provider or both); profile (SSO or single-sign out), and binding (post, redirect or artifact). The intelligence behind the config console then provides the admin with a series of dynamically-generated, customized data entry pages which will lead him step-by-step (like a wizard) through each step that will be required to configure the connections.

PingFederate v3's Enterprise Deployment Architecture renders "federation" a standalone service available throughout the enterprise. This allows an organization to connect multiple security domains, both internal and external, to the same server so all configurations, partner trust relationships and audit logs can be managed centrally.