Liberty unveils single sign-on spec

An alliance of technology firms and big businesses has unveiled plans for single sign-on authentication that will enable users to access numerous websites via any device.

The Liberty 1.0 specification means that affiliated sites which ask users to sign in will be able to share authentication, but not personal, information.

Users can sign in once and then access several secure sites which they have agreed can share their authentication details.

Using the specification allows firms to continue with their existing authentication infrastructure, according to Mike Walker, director of worldwide research and development at Vodafone.

Liberty 1.0 is based on open standards, including Security Assertion Markup Language (SAML), an XML-based language that allows users to transfer security credentials from one affiliated site to another.

SAML was developed by the Organisation for the Advancement of Structured Information Standards to address the need for secure single sign-on among diverse web access management environments, based on XML and Simple Object Access Protocol.

It is a standard that has proved its "viability in practice", explained James Kobielus, senior analyst at the Burton Group.

Having open standards is essential in ensuring that the maximum number of ecommerce operations can benefit, said Walker, who confirmed that Liberty 1.0 would be compatible with rival sign-on technologies developed by IBM and Microsoft.

But some analysts remain sceptical about how the different identity systems will interoperate.

"It is clear that we have a juxtaposition between SAML for the Liberty Alliance and WS-Security for the Passport camp," said Tim Jennings, research production director at analyst firm Butler Group.

With products using the identity management, which is not expected until next year, it is unclear at this stage how they will work together, he added.

Based on five areas of functionality - account linking, simplified sign-on, authentication, global log-out and data transmission - the Liberty 1.0 specification can be used for access from both fixed and wireless devices.

Future versions will concentrate on how users can define what personal information can be shared securely, and by whom, said Walker. He predicted that the second specification will be released "in six to nine months' time".

The sign-on specification will also be used by businesses for internal systems, and possibly to identify suppliers.

Rob Robless, chief technology officer at United Airlines, said that his company had begun to use Liberty 1.0 "to link internal systems" and would consider using the technology with "key business partners".

Mastercard is examining how it can use the technology to provide a secure link for customers to access other accounts, according to Simon Pugh, vice president of infrastructure and standards at the credit card company.

"We look forward to evaluating future products based on this specification for our member financial institutions," he said.

The first products using Liberty 1.0 are expected to ship before the end of the year.

Sun Microsystems will incorporate the specification into its Sun Open Net Environment, the Solaris operating system and its Java technology.

Novell will use Liberty in its Saturn identity management solution, which is expected before the end of this year.

The emphasis on the user being able to opt-in to trusted relationships will encourage usage, according to Jennings. "But it could become complex for users to have to manage a large number of trust relationships," he warned.

"Longer term, I feel we still need independent trusted authorities to manage user identities, which act as the 'root' of the federated structure."