Last week at RSA, a joint presentation was given that demonstrated the interoperability of different mulit-platform and mutli-protocol identity authentication standards. The presentation "Open Source Identity Services - Multi-platform and Multi-protocol interoperability with Bandit, Higgins and others" can be found here. The presentation was proof that there is a hope for meshing together different identity and authentication technologies already in place in most enterprises. Let's look at the three components in the presentation to understand the significance of what they demonstrated.
Higgins is an extensible, platform-independent, identity protocol-independent, software framework that can support existing and new applications. It does this via:
* An identity attribute service (IdAS) that supports multiple identity context providers abstracting information from LDAP, SAML, OpenID, Infocard and RDF
* An Infocard provider and Security Token Service (STS) which uses IdAS from multiple identity providers
* Ability to use multiple forms of agents such as web-based and client-side card managers, browser extensions, and user interface (infocard selectors)
Higgins has been referred to as the Switzerland of identity. By being a neutral state it effectively allows different identity standards to inter-operate.
Bandit is an open-source project sponsored by Novell that implements open standard protocols and specifications such that identity services can be constructed, accessed and integrated from multiple identity sources. One of it's goals is to provide enterprises with consistent identity services for authentication, authorization and auditing.
Bandit does this by using the following:
* Identity attribute service from Higgins (IdAS)
* Authentication services (CASA) which uses client credential store and authentication services, simple security token service with Kerberos support, server side authentication modules (JAAS, JACC and mod-CASA).
* Role engine (leveraging Sun's XACML)
* Audit record framework (ARF) which uses a event submission framework using standard structured format for identity data
The Pamela Project champions robust, open source relying party code development and integration for information card technologies. Developed by Pam Dingle of Nulli Secundus, the demonstration showed a plugin for Wordpress. Pam is an awesome identity analyst and an Inforcard specialist.
What the demonstration did was the following:
1. Accessed a wiki through a gateway using username and password (in this case it came from a user account in a Novell Account Manager (NAM) and NAM acting as the gateway acting as a Liberty Alliance Service Provider.)
2. Generate managed card from a personal card (received it's identity data from NAM using Higgin IdAS and LDAP)
3. Access wiki through gateway with card (managed card link from personal card and NAM acting as the relying party)
4. Access wiki directly with the card (authorization and audit based on card data using Bandit components)
5. Accessed Pamela Project WordPress blog with card
This is the fore-runner of what typical identity transactions will look like in the near future in most enterprises. Hats off to the Higgins, Bandit and Pamela project members!
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us