Web services nears federated ID nirvana

Microsoft will add an identity meta system to its current web services development tools to allow for interoperability between authentication technologies.

The system adds an abstraction layer between the web service and the authentication technology, allowing the web service to deal with multiple authentication methods without the need for code adjustments.

It will allow for user identities and rights to be verified between anything from modern internet software to legacy mainframe applications, the company said in a presentation at the Digital Identity World conference in San Francisco.

The technology will enable federated applications, software that relies on claims made by other applications. Although such applications are available today, their number is limited because they are complex and have to deal with multiple authentication standards which do not always interoperate.

"Until we have technologies like WS-Security that allow you to describe these complex relationships, we are going to be stuck with very fixed topologies," John Shewchuck, vice president of distributed systems at Microsoft, told vnunet.com.

"Today we have solutions that allow you to go from a single identity provider to a single relying party based on user name and password. You might be able to tweak the technology and get it to do more complicated things, but it's hard."

Rather than providing the web service with an actual log-in name and password, the abstraction layer sends a claim, or security token, which states that a user's identity has been verified.

A useful analogy would be a pub that needs to know whether a customer is above the legal drinking age, but not their actual date of birth.

The technology reaches interoperability through the use of existing standards under the WS-* banner, such as WS-Metadata exchange and WS-Trust.

The notion of an identity meta system is new, but the technologies that Microsoft used to get there have been around for some time. This makes it easy for providers of software development kits to add support.

Microsoft will ship a software kit that allows developers to create web services using these federated identities within a couple of weeks, according to Shewchuck.

The kit will be part of Indigo, a development tool for web services, of which a pre-release version was made available last March. The final product is slated for release by 2006.

Windows Server 2003 will add support for the technology through Active Directory Federation Services in the upcoming R2 update due later this year, Shewchuck told vnunet.com.

Although Microsoft's development tools will be limited to its .Net language, other vendors will release tools for languages such as Java and PHP.