Computerworld - Suppose an airline wants to give its online customers access to special offers from its hotel and car rental partners, yet spare those users the bother of logging in each time they link to a new password-protected Web site.
The airline also might want to give its employees access to the secure sites of its 401(k) and insurance providers without forcing them to prove their identities multiple times.
Two of the more prominent options the airline might consider are Microsoft Corp.'s Passport service and future systems based on specifications drawn up by the Liberty Alliance Project, an industry consortium with more than 120 members, whose founders include Sun Microsystems Inc., American Express Co. and United Air Lines Inc.
But IT shops might want to carefully assess their choices for single sign-on and user identity management, because both options are in a state of flux and new Web services approaches could alter the landscape even more.
"You really have to have a driving business need to want to do this now, because of the potential for change," says Randy Heffner, an analyst at Cambridge, Mass.-based Giga Information Group Inc.
In July, the Liberty Alliance Project released its specifications for a standards-based mechanism for simplified sign-on and user identity management. But although vendors have promised products based on those specifications, they have yet to produce them.
The second phase of the specificationswhich will include guidelines for site-to-site authentication and user-attribute sharingisn't due until the first half of next year, says Paul Madsen, a member of the Liberty Alliance's technology expert group and manager for identity services at Addison, Texas-based Entrust Inc.
Microsoft's Passport authentication service, which has primarily targeted consumers, relies largely on proprietary protocols that the company made available last month for inspection and development through its shared source code licensing program. But Passport is expected to shift to authentication tokens based on MIT's Kerberos technology and add support for Web services standards next year. That, in turn, has given many in the industry hope that Passport may someday interoperate with Liberty-based authentication and identity management systems.
Currently, the approaches differ. One major distinction is the location where each model stores and maintains user data. Another is the means by which the systems share a user's authentication status information.
Under the Microsoft service, users register either via www.passport.com or a member site that has an agreement with Microsoft. The member site must be running Passport Manager software, which serves as an intermediary between the site's server and the Passport server and helps decrypt incoming cookies.
When a user logs into a member site, he is redirected to a page with the Passport user interface and branding from the referring site. The member site can decide how many of 10 possible fields of information it wants the user to fill in, and the information is stored in Microsoft's Passport servers. Users can opt to share all of that information with other Passport-enabled sites when they sign in, or only their e-mail addresses or names.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!