LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The OpenLiberty Project

January 24, 2007

This article was contributed by Jake Edge.

A buzzword dense press release announcing a new open source project for 'identity management' is hardly the kind of thing to set hearts to racing. The release did succeed on one level, however, as it made us wonder what the openLiberty project is and what it can do for open source developers. Follow along as we try to shed some light on the world of internet identities and the standards, protocols and organizations involved.

An 'internet identity' means different things to different people; often depending on how they want to use this identity information. A website owner that allows comments has much less strict requirements for what an identity is than a hospital or stock broker might have. Some identities need to be tied to specific individuals, those used for e-commerce, for instance, whereas others can have pseudonymity. Privacy concerns also play a role in that a user does not necessarily always want to provide the same information to all parties they want to establish an identity with; LWN should not (and does not) require your government ID number in order for one to post comments here, but a stock broker might very well need it.

The sponsor of openLiberty is the Liberty Alliance, which is a consortium of vendors that seeks to provide standards for identity-based web services. This organization was started by Sun Microsystems in 2001 as a competitor to Microsoft's Passport (aka Windows Live ID) single sign-on system. At the time, many were concerned that Microsoft would become the gatekeeper of internet identity management and that would likely guarantee that competitors were locked out. Sun put together around 30 vendors and some ideas they had been working on to form the alliance with the plan to provide open, standards-based solutions for identity management.

Since that time, the alliance has come out with various specifications for what is, by all accounts, a complex, centralized system for identity management based around Security Assertion Markup Language (SAML). SAML is an emerging OASIS standard that describes the protocol for identity providers to communicate with service providers to authenticate users. The alliance system is popular with larger organizations that typically have tighter requirements for identity management. Websites and services that have simpler needs have largely used OpenID (LWN article here) to facilitate single sign-on.

The openLiberty project is an attempt to attract more interest, especially from the open source community, in the Liberty system, presumably to help drive more adoption. The website is a portal geared towards developing open source libraries to implement various alliance specifications. The first project is a java client library implementing the Identity Web Services Framework (ID-WSF) to provide single sign-on and other identity-enabled web services. The portal has all the expected features: a blog, a wiki, a mailing list, a source code repository (hosted by sourceforge), etc.

As might be expected of a project that has just been announced, there are few messages in the mailing list archive and the participant list appears to be largely made up of Liberty Alliance members. Based on the wealth of information available on the website, the project has already done a lot of the groundwork to establish the portal. It remains to be seen if it attracts a significant number of non-allied developers. Choosing a java client library to start would seem to eliminate some sizable portion of interested parties; other languages are on the roadmap and that might be enough to lure in non-java developers.

An interesting convergence of identity management solutions seems to be going on in the background right now. Proponents of the different systems all see the benefits of interoperability and there appear to be some efforts underway to allow OpenID and Liberty to work together. There is even talk that Microsoft may join the party and make some kind of effort to interoperate with Liberty.

There are clear benefits to users in having one system to manage their internet identity (or identities) across the universe of web services they might wish to use. Simplicity of implementation for web service providers and differing levels of security for different classes of service are also good features to have. One of the ways to get there is by having competing systems that can interoperate relatively transparently and it seems like we may be headed in that direction.

(Log in to post comments)

The OpenLiberty Project

Posted Jan 27, 2007 3:20 UTC (Sat) by roelofs (guest, #2599) [Link]

There are clear benefits to users in having one system to manage their internet identity (or identities) across the universe of web services they might wish to use.

Also, as we've seen in other arenas, clear risks: for example, if there's a bug in the implementation (or, more rarely, a shortcoming in the protocol specification itself) that opens the door to one of the attacks outlined in the OpenID article, then you're potentially compromised all over the place, not "just" at one site.

Of course, even a one-site compromise can be seriously painful, as T.J.Maxx / Marshalls / HomeGoods customers discovered this week. :-/

Greg

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds