Finding the Right ID
Microsoft faces challenges as it looks to advance CardSpace for cross-platform identity management.
As Microsoft looks to advance its interoperability initiative, CardSpace -- the company's identity-management framework -- promises to play a key role in providing authentication between Windows and .NET-based apps on the one end, and the Web, open source technology and other key enterprise software platforms on the other.
Microsoft lowered a key barrier by adding support for the recently upgraded industry standard OpenID specification into its CardSpace client identity-management framework. Still, it could be some time before developers are called on to use OpenID and CardSpace for cross-platform enterprise applications.
CardSpace is a key component of Microsoft's .NET Framework 3.5 and is supported in Internet Explorer 7 and Windows. It's built largely on Microsoft Windows Communication Foundation (WCF), serving as the identity provider.
As reported last month, Microsoft and key rivals including Google Inc., IBM Corp., VeriSign Inc. and Yahoo! Inc. all re-iterated support for OpenID by joining the OpenID Foundation's board ("Key
Rivals Sign in to OpenID," March 15). OpenID also took a step forward with the December release of the OpenID 2.0 spec, which eliminates the need to re-enter a URL to invoke log-on to different sites.
Despite the activity, enterprises may initially be hesitant to throw their weight behind CardSpace. That's because even though CardSpace can be implemented on a non-Microsoft client, "you need a Web site with the Windows platform to use all the tools provided by Microsoft," says Jim Reno, CTO at Arcot Systems Inc., a Sunnyvale, Calif., supplier of identity-authentication software.
"If you want to work with Outlook or Microsoft's browser or any other Microsoft product, you have to use Microsoft's CSP," says Doc Vaidhyanathan, Arcot's VP of product management. CSP stands for Cryptographic Service Provider. CSP modules supply cryptographic functionality for the Microsoft CryptoAPI: They perform all cryptographic operations and manage private keys.
Microsoft's support for OpenID only means the identity provider "has to be flexible enough that it can respond to an OpenID request or a CardSpace request or a SAML [Security Assertion Markup Language] request," says Vaidhyanathan. "Different people have adopted different standards on authentication, [and] it will finally be up to the market to adopt a standard," he adds.
While Microsoft is trying to make CardSpace the standard, "CardSpace doesn't work with anything except a CardSpace client today," Vaidhyanathan says. "[Arcot] will continue to provide an identity service that will work with multiple options, and whether you're using your assertion with CardSpace or OpenID or Google Apps, you don't want to have to do this multiple times."
Microsoft's Take on OpenID
While OpenID provides single sign-on to social networking sites and blogs -- letting users log in one time to employ a public persona across multiple sites -- it's not robust enough to support government applications, casual Web surfing, financial transactions or private data access. Microsoft's Chief Identity Architect Kim Cameron has said in his Identity Weblog that the company is interested in OpenID as part of a spectrum of solutions. Microsoft did not make Cameron available for an interview.
But Cameron has written that unlike redirection protocols such as SAML, WS-Federation and OpenID, CardSpace limits the amount of personal information users need to give out, making Web surfing more secure.
Microsoft describes CardSpace as an identity selector -- the user creates self-issued cards and associates a limited set of identity data with each. The CardSpace user interface is security-hardened, and the user decides what information will be provided. However, CardSpace can't completely avoid artifacts that allow linkage when managed cards carrying claims asserted by a third-party authority are used, Cameron has written.
Work in Progress
Indeed, CardSpace is still quite new. One of the few enterprises that has implemented CardSpace is DiscountASP.NET, which specializes in ASP.NET Web hosting and SQL Server database hosting. DiscountASP.NET has a beta implementation of CardSpace underway.
"At this time, we've only released the CardSpace integration for Control Panel log-in as a beta," says Takeshi Eto, the firm's VP of marketing. "We're not yet comfortable officially releasing it."
Eto says the DiscountASP.NET staff "needs to learn more about it and we need to see how it plays with Windows Server 2008." He says it will be "some months" before the company might take the solution out of beta testing.
Other issues regarding CardSpace adoption include the lack of trusted identity providers, the inability to implement CardSpace for mobile platforms and compatibility.
"There are not that many trusted identity providers today, so enterprises have to fall back on self-managed cards, and I don't see that as being too different from setting up your own identity providers," says Forrester Research Inc. analyst Andras Cser.
"Microsoft needs to figure out how to make this thing platform-independent and mobile: What happens if you're working at an airport kiosk? How can you sync up the identity cards?" Cser adds.
Despite Microsoft's support for OpenID, Cser suggests that other compatibility challenges need to be met before enterprises adopt CardSpace for identity management.
"CardSpace will have to be compatible to other platforms if it's to be adopted in the enterprise," says Cser. "What are the compatibility promises Microsoft will make that will let users not just have B2C contact, but also B2B contact -- the enterprise contact?"
Nevertheless, OpenID could prove to be an enabling technology. To support OpenID, Microsoft will work with JanRain Inc., Sxip Identity Corp. and VeriSign on creating a profile that will open the door to involvement by other developers and services providers in identity authentication and management.
JanRain and Sxip provide open source code libraries for blogging and Web sites. VeriSign will add support for the CardSpace Information Cards to its OpenID code bases. Meanwhile, Microsoft will support OpenID in future identity-management products.
Enterprises will see the value of CardSpace "when Microsoft integrates CardSpace as an enterprise server as part of identity management," says Nico Popp, VeriSign's vice president of innovation.
CardSpace and the Enterprise
CardSpace is currently positioned primarily for the Internet, but things will change with the next release of Active Directory Federation Service, because Microsoft will make CardSpace "much more appealing and easy to use" in the enterprise, says David Chappell, principal of San Francisco-based consultancy David Chappell & Associates.
However, enterprises may have to rethink their approach to security and authentication because "CardSpace is part of what Microsoft calls the identity metasystem," Chappell explains. He warns that the term can be "very confusing because it doesn't always mean the same thing" at Microsoft. "Once you understand the technology, it makes sense," he says.
|Cross-Platform CardSpace Options
Windows CardSpace works best with Internet Explorer 7, the .NET Framework 3.0/3.5 and Windows Vista. But it can also work with other technologies. Developers can build CardSpace security tokens for ASP.NET 1.1 to integrate .NET 1.1 ASP.NET applications with CardSpace without having to move the entire application to .NET 3.0. And developers can also create what Microsoft calls Identity Selectors, extensions for Firefox and other non-Microsoft platforms that work with CardSpace.
An Apache Authentication Module for CardSpace from Ping Identity Corp. is available for download at www.sourceid.org. This is an open source module that lets applications using an Apache hosting or proxy server use Information Cards as an additional authentication mechanism, letting Apache applications act as CardSpace-relying parties. The module decrypts the tokens submitted by CardSpace, retrieves the claims and makes them available for use by the applications.
Ping Identity also released earlier this year PingFederate, which it calls the world's first rapidly deployable software that enables secure Internet single sign-on by providing an organization's users safe access to Internet applications without the need to re-log in. It supports SAML 1.0, SAML 1.1, SAML 2.0 and WS-Federation. Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between an identity provider and a services provider.
To further bolster its position, Ping Identity acquired the Sxip Access business from Sxip Identity Corp. on March 11. This consists of the single sign-on provisioning and de-provisioning software; an appliance; and hosted services of Sxip Identity, all offered in the Software as a Service model.
Another identity framework in the market that supports CardSpace comes from the Eclipse Foundation, based in Ottawa, Canada. In February, the Foundation announced the availability of Eclipse Higgins 1.0, a freely downloadable identity framework designed to integrate identity, profile and social relationship information across multiple sites, applications and devices using extensible components.
Higgins 1.0 was developed by the Eclipse Higgins project -- a coalition of organizations and individuals -- to let developers work with multiple identity protocols, including WS-Trust, OpenID, SAML, XDI and LDAP, while meeting the differing needs of Web 2.0, mashups, social networking and the general rise of networked applications.
Unlike OpenID, SAML or WS-Trust, Higgins is not an identity protocol; it's a framework that lets software developers integrate and leverage multiple protocols within their applications. Developers can use Higgins to support different protocols instead of having to become proficient in them all.