Select Q&A, J. Pescatore, A. Litan Research Note 12 August 2003 Should You Use Liberty or Passport for Digital Identities? Federated digital identities, such as from the Liberty Alliance and Microsoft Passport, will not offer business value until a global service provider routinely issues standards-based identities to all of its customers. Core Topic Security and Privacy: Security Tools, Technologies and Tactics Key Issues Which vendors will emerge as leaders in the information security domain? How will network-based applications become safe for mission-critical businesses during the next five years? Strategic Planning Assumptions Through YE05, the Liberty Alliance will provide a viable set of standards for enterprises that need multivendor support for federated identity services (0.7 probability). By YE05, a major global service provider will issue SAML-based identities to its users, which will force Microsoft to fully support SAML in Windows, or Liberty will be relegated to niche status by year-end 2007 (0.6 probability). By 2H05, Microsoft will support the ability to expose internal Windows authentication actions as SAML assertions and perform Windows authentication based on SAML assertions (0.6 probability). Prior to 2H05, Microsoft Passport and Liberty Alliance identity service specifications will not be mature enough to support cost savings in consolidating identity services (0.7 probability). How do the Liberty Alliance and Microsoft Passport differ? The key differences between the Liberty Alliance and Microsoft Passport are: Liberty is a set of specifications for interoperable identity services. Passport is a centralized identity service controlled by Microsoft. Liberty is based on the SAML draft Organization for the Advancement of Structured Information Systems (OASIS) industry standard, which Microsoft has not formally supported. The Liberty Alliance is a group of 170 companies, including Sun Microsystems, Nokia, American Express and others, that delivers technical specifications and business guidelines for federated identity services across enterprises. Liberty does not produce the applications; vendors such as Sun, Novell, PeopleSoft and Hewlett-Packard develop interoperable applications that support the Liberty standard. The Liberty Alliance specifications will enable different service providers to participate in a federated trust network. However, the set of products that provide identity services based on the Liberty standards is limited. Phase one of Liberty specifications, which were sent to OASIS in April 2003, supports single sign-on across enterprises and applications based on the open SAML standard. Phase two of the standard, which is in draft, will address more-difficult technical and business requirements, such as permission-based attribute-sharing of identity information. Liberty will issue business guidelines that address how to manage liability issues and revocation procedures across participating enterprises. Nokia and Vodaphone Group are developing Liberty-based applications for business-to-consumer (B2C) transactions. Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
American Express, Sun and General Motors are developing a business-to-employee (B2E) application. Three business-tobusiness (B2B) applications are available. Microsoft Passport is a centralized single-sign-on service, as well as a standard supported by Microsoft operating systems and directory services. Its centralized consumer service is implemented and operated by Microsoft for approximately 200 million accounts that use Microsoft mail (Hotmail), Messenger and Internet service provider (ISP) services. In September 2001, Microsoft announced that it would support a federated network service architecture in 2002; however, that did not occur. Passport doesn't play an important role in B2E applications. Internal Windows Kerberos provides single sign-on by extending Windows desktop authentication across other Windows applications within an Active Directory environment. Passport couldbeusedforb2b applications as a Microsoft-hosted service to support single sign-on, or business partners could integrate directly using Kerberos mechanisms. In June 2002, Microsoft announced that it was developing TrustBridge to provide integration with non-windows Kerberos; nothing has been released. How do I choose the best identity services solution for my application? Choosing the best technology for an application depends on the usage scenario and time frame: B2E For enterprises that are investing heavily in Active Directory, Windows XP and Windows 2003 Server, issuing, managing and using digital identities based on Kerberos will be the "path of least resistance" during the next three years. Where interfaces are required from Windows to Unix-based systems, vendors in the extranet access management (EAM) space provide products that bridge the Windows/Unix gap. B2B For heterogeneous B2B environments or ad hoc business connections, Liberty's open standards approach has many advantages compared to a Windows-centric approach. In particular, strong support for SAML is the best way to assure platform independence in the long term. Passport can be used when business partners have homogeneous Windows environments and have committed to issuing and using Passport identities. B2C/government-to-citizen Although most online consumers use Windows-based PCs to connect to the Internet, their digital identities are issued by ISPs or mobile service operators, with which Unix- and Linux-based systems 12 August 2003 2
are common. In addition, Internet access from cellular phones, personal digital assistants (PDAs) and other non- Windows-based platforms is increasing. Thus, a platformindependent approach to digital identities is becoming more important. This argues for using the SAML-based Liberty standard. Will Liberty be viable in five years? There has been much hype about digital identities in general. Enterprises are not using Passport and Liberty for a meaningful amount of Internet commerce. Because Passport will be built into Microsoft's products and services (such as Microsoft Network, Hotmail, WebTV and others), Passport will grow even if there is no demand. If the government of a large country, a large credit card issuer, or a large U.S. ISP or cellular carrier commits to issuing Libertybased identities prior to 2005, then the Liberty standards will be meaningful enough to force Microsoft to interoperate or to at least adopt key aspects of Liberty, such as SAML. Nokia and other Liberty Alliance members are working with mobile operators and the Open Mobile Alliance to embed Liberty standards and protocols into cell-phone-based Internet services by 2004. However, operators have made no commitments to issue SAML-based identities. Mobile operators likely will be reluctant to manage their coveted consumer information using open standards because they may perceive this as a loss of control over their customer base. Mobile operators, as well as foreign governments, likely will be even less willing to allow a Microsoft-driven technology to get between them and their customers. Therefore, through YE05, the Liberty Alliance will provide a viable set of standards for enterprises that need multivendor support for federated identity services (0.7 probability). By YE05, a major global service provider will issue SAML-based identities to its users, which will force Microsoft to fully support SAML in Windows, or Liberty will be relegated to niche status by year-end 2007 (0.6 probability). What are the risks in choosing one standard instead of the other? Microsoft Passport has proved to be an insecure system in the past several years, with numerous individuals and hackers finding holes to exploit. For example, in May 2003, an Indian researcher discovered a way to reset Passport account passwords. Had he been a malicious attacker, he could have broken into every Passport holder's account. At that time, Gartner recommended that users wait until November 2003 to interface with or use the Passport service to give Microsoft time 12 August 2003 3
to fix that vulnerability, as well as others that we believed would be (and have been) found. An obvious risk in using Passport capabilities built into Windows is that it can lock enterprises into the Microsoft architecture, making it more difficult to communicate with interenterprise applications that use different technologies. A key benefit of federated identity services is the ability to manage identities from external organizations; an open architecture makes this easier to accomplish. Although Microsoft dominates the desktop, Linux desktop use has increased. Also, there has been strong growth in access from cell phones and PDAs, areas in which Microsoft is less dominant. To address such fears of lock-in, by 2H05, Microsoft will support the ability to expose internal Windows authentication actions as SAML assertions and perform Windows authentication based on SAML assertions (0.6 probability). The Liberty Alliance standards also have a set of risks. Phase one of single sign-on is based on the open SAML standard, which has evolved over several years. However, multiple vendors will have to implement SAML-based applications and ensure that the applications interoperate and are secure. The Liberty federated identity service specifications become much more useful and potentially more "buggy" as they move into phase two, which supports the difficult and more-complex job of managing identity management business rules, such as permission-based release of private information across participating enterprises and heterogeneous applications. Significant phase-two implementations (supported by major organizations with "critical mass" applications) likely will not take place until at least 2005. Therefore, an enterprise's phase-two efforts may never bear fruit because application complexity may impede notable progress in the market. This may be reminiscent of the public-key-infrastructure implementations several years ago that were not adopted, despite the good business cases made at that time. What else do I need to know about identity services? Acronym Key B2B business-to-business B2C business-to-consumer B2E business-to-employee EAM extranet access management ISP Internet service provider OASIS Organization for the Advancement of Structured Information Systems PDA personal digital assistant The major advantage to using a federated identity service is the reduction of costs for enterprises that maintain separate identity systems. Prior to 2H05, Microsoft Passport and Liberty Alliance identity services specifications will not be mature enough to support cost savings in consolidating identity services (0.7 probability). If a large government, credit card company or U.S. telecommunications provider does not issue federated identities to all of its users prior to 2005, it will take longer for use of such identities to make business sense in the consumer market. 12 August 2003 4
For deployment decisions that must be made in the interim, internal enterprise projects based on Active Directory should focus on using Windows Kerberos capabilities. All interenterprise efforts should require the use of SAML to support cross-platform interoperability. For most interenterprise use, SAML-based solutions such as those offered by leading EAM vendors will be the most cost-effective choices through 2005. They will support the least-disruptive migration path as the standards battles shake out or fade away into irrelevance. 12 August 2003 5