Liberty Interoperable program grows as enterprises and governments deploy SAML 2.0 to deliver secure business services, protect identity data, meet regulatory and transparency goals

Sept. 30, 2009 – Kantara Initiative and Liberty Alliance today announced that identity products from Entrust, IBM, Microsoft, Novell, Ping Identity, SAP and Siemens have passed Liberty Interoperable™ SAML 2.0 interoperability testing. These vendors participated in the third Liberty Interoperable full-matrix testing event to be administered by the Drummond Group Inc., and the first event to test products against the new eGovernment SAML 2.0 profile v1.5 recently released by Liberty Alliance. Web-based full-matrix testing allows vendors to participate from anywhere in the world and features rigorous processes for ensuring products meet SAML 2.0 interoperability requirements for open, secure and privacy-respecting federated identity management.

“The summer 2009 full-matrix testing event included more vendors than ever before, reflecting the worldwide demand among enterprises and governments for SAML 2.0 identity-enabled solutions that have proven to interoperate,” said Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president, Oracle Identity Management. “Organizations can count on Liberty Interoperable for products that have proven to meet interoperability requirements today and over the long-term as the program moves to expand within Kantara Initiative to test against additional identity standards and protocols.”

This year’s program featured enhanced SAML 2.0 testing scenarios between Service Provider (SP) and Identity Provider (IdP). The eGovernment SAML 2.0 profile and its requisite test plan have been developed by Liberty Alliance with input from the Danish, New Zealand and US governments. Testing processes for the eGovernment profile included multiple SP logout scenarios, requested authentication context comparisons, and other aspects of SAML 2.0 necessary to meet interoperability, privacy, security and transparency requirements in the global eGovernment sector. A review of the SAML 2.0 v1.5 eGovernment profile is available at http://tinyurl.com/y9geb94

“SAML 2.0 is the most popular federation protocol in the industry and utilized by commercial, educational, and government institutions around the globe,” said Gerry Gebel, VP and service director at Burton Group. “Federated single sign-on demand is growing, spurred by broad adoption of SaaS applications and the general increase in collaboration among business partners in every industry. The Liberty Interoperable program is instrumental to sustaining successful deployments in advanced federation scenarios where multiple products are in use.”

During the July 14 – September 4, 2009 testing event, the following products demonstrated interoperability based on a variety of SAML 2.0 conformance modes. A detailed list outlining what each vendor passed is available at http://tinyurl.com/yahs2u8

Entrust - Entrust IdentityGuard Federation Module 9.2 is a part of Entrust’s versatile authentication platform, supporting numerous authentication methods in one cost-effective solution. Organizations are empowered to choose the right authentication method(s) for their users accessing enterprise, consumer, government or mobile applications. Entrust IdentityGuard includes support for username & password, IP-geolocation, device-ID, questions and answers, out-of-band OTP soft tokens (via voice, SMS, e-mail), grid and eGrid cards, digital certificates and a range of hardware OTP tokens. Entrust IdentityGuard enables rapid deployment, centralized policy management, and an easy integration into the enterprise. Entrust IdentityGuard also includes the ability to apply transaction digital signatures for increased confidence in online transactions. Entrust IdentityGuard serves as a certified SAML 2.0 identity provider, providing standards-based interoperability to organizations. Combined with Entrust’s zero-touch fraud detection solution, Entrust IdentityGuard provides a powerful risk-based solution for authenticating users.

Entrust - Entrust GetAccess 8.0 delivers a single entry and access point for user authentication and authorization across multiple Web portal applications. The solution delivers full service provider (SP) capabilities and provides organizations with security, flexibility and performance to personalize the user experience of a Web portal through the following key services: flexible authentication, including seamless integration with Entrust IdentityGuard for step-up authentication; proven authentication interoperability via standards such as SAML, Kerberos, X.509 and others; SSO to Web and non-Web applications via SAML; authorization including fine-grained access control to online resources; rich policy management capabilities, allowing controlled access based on environmental considerations (e.g. authentication method used, physical location, TOD, external data sources); centralized session management; personalization of content; integration with leading application and portal vendors; web-based tools for business administration and operational control.

IBM - IBM Tivoli® Federated Identity Manager (TFIM) 6.2 provides a full featured web access management solution for managing identity and access to resources that span companies or security domains. Rather than replicate identity and security administration across companies, Tivoli Federated Identity Manager provides a simple, loosely coupled model for managing trusted identities and providing them with access to information and services including SaaS and cloud-based deployments. For companies deploying Service Oriented Architecture (SOA) and Web Services, TFIM provides a centralized identity mediation services for federated Web services identity management across multiple domains (e.g. Java, .NET and mainframe). TFIM supports the following standards: SAML Protocol 1.0/1.1/2.0, OpenID Authentication 1.1/2.0 – OpenID Simple Registration Extension 1.0, Information Card Profile, WS-Federation Passive Requestor Profile, Liberty ID-FF 1.1/1.2, WS-Trust 1.2/1.3.

Microsoft – Microsoft Active Directory Federation Services (AD FS) 2.0 enables Active Directory to be an identity provider in the claims based access platform. AD FS provides end users with a single sign-on experience across applications, platforms and organizations and simplifies identity management for IT Pros. AD FS 2.0 is part of the Windows Server platform, and supports both on-premises and cloud solutions. 

Novell - Novell Access Manager 3.1 simplifies and safeguards online asset-sharing, helping customers control access to Web-based and traditional business applications. Trusted users gain secure authentication and access to portals, Web-based content and enterprise applications, while IT administrators gain centralized policy-based management of authentication and access privileges. What’s more, Novell Access Manager supports a broad range of platforms and directory services, and it’s flexible enough to work in even the most complex multi-vendor computing environments. Novell Access Manager makes administration easy. You can use it to centralize access control for all digital resources, and it eliminates the need for multiple software tools at various locations. One access solution fits all applications and information assets. In addition, Novell Access Manager includes support for major federation standards including Security Assertions Markup Language (SAML), WS-Federation and Liberty Alliance.

Ping Identity - PingFederate v6.1 is an Internet Identity Security platform that delivers an enterprise-class, scalable, cost effective and standards-based software solution for enabling Internet Single Sign-On, Identity- Enabled Web Services and Internet User Account Management. PingFederate provides a centralized platform for managing all of your external identity connections with customers, Software-as-a- Service (SaaS) and Business Process Outsourcing (BPO) providers, partners, affiliates and others. Your organization can have Internet SSO and Identity-Enabled Web Services connections in days with point and click connection configuration, out-of-the-box integration capabilities, multi-protocol support, and automated user account management. Over 350 enterprises and service providers worldwide base their Internet identity security strategy on PingFederate.

SAP - The next release of SAP NetWeaver Identity Management 7.2 is planned for the second quarter 2010. SAP plans to significantly enhance the product with an Identity Provider (IdP) and Secure Token Service (STS) to support web-based Single Sign-On via SAML 2.0 assertions, identity federation and Single Sign-On for web services. The existing features to centrally administrate and provision users – provided by the Identity Center and Virtual Directory Server components – will be extended and allow for integrated scenarios with the IdP. The new IdP and STS will add access management features to the SAP NetWeaver Identity Management and allow the solution to be integrated into an Enterprise Single Sign-On environment reducing TCO and administrative effort.

Siemens - DirX Access V8.1 is a comprehensive solution that integrates access management, entitlement management, identity federation, Web services security, and Web Single Sign-on in one single product to protect your web applications and web services from unauthorized use. DirX Access provides for the consistent enforcement of business security policies through external, centralized, policy-based authentication and authorization services, enhances Web user experience through local and federated single sign-on and supports regulatory compliance with audit and reporting both within and across security domains.

About the Liberty Interoperable Program

The ongoing success of the Liberty Interoperable program is demonstrated by the wide scale deployment of SAML 2.0 products and the increasing number of businesses and governments such as the US GSA, now requiring vendors to pass Liberty Alliance testing. With nearly seven years of testing products for true interoperability of identity specifications, Liberty Alliance expects to expand the Liberty Interoperable program within Kantara Initiative to reflect growing momentum for proven interoperable multi-protocol identity solutions. More information about the program, including a list of all vendors who have passed Liberty Alliance testing, is available at http://tinyurl.com/yduzy4t

 

###

Regional program leverages four levels of identity assurance and certified identity services from Kantara Initiative to advance trusted, secure and privacy-respecting applications for healthcare providers and patients

Washington DC, September 24, 2009 – Kantara Initiative, a global identity community working to solve harmonization challenges among enterprise, Web 2.0 and Cloud applications and services, today announced that the South East Michigan Health Information Exchange (SEMHIE) has adopted the Kantara Initiative Identity Assurance Framework (IAF) as its open trust framework for ensuring policy interoperability across identity-enabled healthcare applications and services. The SEMHIE will require organizations participating in the regional healthcare exchange to have identity services certified within the Kantara Initiative Identity Assurance Certification Program. 

“We are adopting the standardized Kantara Initiative Identity Assurance Framework because it has been developed by industry leaders representing the global healthcare, government, financial services and telecom sectors to meet open trust framework requirements based on four levels of identity assurance,” said Helen Hill with SEMHIE and member of the Healthcare Reform Committee for HIMSS. “Hospitals and regional healthcare providers participating in SEMHIE as credential service providers will be certified by Kantara Initiative to demonstrate they have met identity assurance criteria, ensuring policy interoperability across the region and the highest degree of security and privacy for patients.”

The SEMHIE is a multi-stakeholder initiative dedicated to delivering the promise of integrated health information exchange throughout Southeast Michigan. When successfully deployed, SEMHIE will enhance patient care, quality and safety; increase effectiveness and efficiency of healthcare delivery: and reduce healthcare costs. More information about SEMHIE is available at http://www.semhie.org/

“With the adoption of four levels of identity assurance and certified identity services from Kantara Initiative, the SEMHIE is at the forefront of successfully addressing the policy interoperability challenges involved in establishing trusted identity federations across industries and sectors,” said Frank Villavicencio, executive director, NetStar-1, Inc. and chair of the Kantara Initiative Identity Assurance Work Group.

 About the Kantara Initiative Identity Assurance Certification Program

The Kantara Initiative Identity Assurance Certification program certifies that identity services have met business and policy criteria for each of the four identity assurance levels outlined in the technology agnostic IAF. Certified identity services eliminate the need for organizations to “reinvent the wheel” each time they need to assess the risk of accepting identity credentials from an outside party. More information is available at http://tinyurl.com/r6le4r.

 ###

Applications in the global identity, eCommerce, eGovernment, social networking and telecom sectors win Identity Deployment of the Year Awards

Las Vegas, NV – September 15, 2009 — Kantara Initiative, a global identity community working to solve harmonization and interoperability challenges among identity-enabled enterprise, Web 2.0 and Cloud applications and services, today announced that six applications have won a 2009 IDDY (Identity Deployment of the Year) Award. The IDDY Deployment award winners include Google and Plaxo; Signicat; and the U.S. Department of Defense.  The winning IDDY Proof of Concept (POC) awards include fun communications; Gemalto and Vodafone; and NRI, NTT and Oracle. The IDDYs were presented today at CSO magazine’s Digital ID World 2009 in Las Vegas, NV. 

“Winners of the 2009 IDDY Award reflect the evolving identity landscape, where applications are leveraging a wide range of protocols and collaboration is key to moving the global identity industry forward,” said Brett McDowell, executive director, Kantara Initiative. “With more joint submissions than any other year and nominations spanning industries and regions, we congratulate the six winning applications from ten different organizations for demonstrating some of the most innovative and diverse identity solutions in the marketplace today.”

Now in its fourth year, the IDDY program has grown within Kantara Initiative to recognize the individuals and organizations developing identity-enabled applications built using any open identity technology. Judges evaluate nominations based on criteria that include the benefits applications deliver to communities, businesses, governments and people; the ROI the application demonstrates; and how the solution may successfully address identity issues such as reducing identity theft, meeting regulatory requirements, and providing users with increased security and privacy protection.

Winners in the Deployment Category:

Google and Plaxo – Google and Plaxo have won an IDDY Deployment award for their collaborative work in the development of a “hybrid onboarding” solution designed to increase the success rate of users finishing the registration process with a social network. The solution uses a combination of open technologies referred to as the “OpenStack,” which includes OAuth, OpenID, Portable Contacts and XRDS. Because the implementation uses open technologies, the solution can be easily replicated by others to optimize onboarding between any OpenID Provider (OP) and Relying Party (RP) pairing.  With a success rate of 92 percent, the application enhances the user experience while providing increased security and privacy protections. The service was deployed by Google and Plaxo in early 2009 and is currently available to hundreds of millions of Google users. A presentation reviewing the application is available at http://tinyurl.com/ok8u9x

Signicat – Signicat has won an IDDY Deployment award for the development of an online hosted Identity Provider that is offered as a managed service to private and public sector enterprises and organizations in the Nordic Region (Norway, Sweden, Denmark and Finland). The service acts as an intermediary to provide organizations with easy and secure access to the region’s eID (electronic ID) infrastructure. The solution supports SAML for strong authentication and SAML and OpenID for Web Single Sign On, as well as eSignature for workflow and long-time archiving of signed documents. The Identity Provider went live in October 2005, and is currently used by approximately thirty organizations giving access to over 12 million pre-authenticated identities. More information is available at www.signicat.com.

U.S. Department of Defense – The U.S. Department of Defense (DoD) has won an IDDY Deployment Award for SPOT (Synchronized Pre-Deployment and Operational Tracker), a Web-based enterprise networking solution used by the DoD for precise tracking and management of assets supporting US forces deployed overseas. The contractor cross-credentialing with SPOT has been developed and launched in collaboration between the U.S. Department of Defense and the Federation for Identity and Cross-Credentialing Systems, Inc. (FiXs). The system recognizes identity credentials issued by various government entities as well as compatible, standards-based, certified identity credentials issued by industry to support identity-based transactions between the U.S. Government, various international coalition governments, and supporting industry contractors and suppliers. SPOT provides visibility into contingency contracts accounting for 10,439 companies and 3,783 active contracts, with the system currently supporting more than 12,650 end users. More information is available by visiting http://www.bta.mil/products/spot.html and http://fixs.org/.

Winners in the Proof of Concept Category:

fun communications – fun communications has won an IDDY in the POC category for the development of its WebCard Loyalty solution, a public portal that can be used worldwide. WebCard Loyalty let’s anyone create their own customer loyalty system for the Internet using “virtual loyalty cards” and is based on Information Card Technology. The application combines user-centric identity management and customer loyalty programs such as bonus points, coupon promotions and discounts on partner websites, into a single application. Retailers and portal operators can issue their own virtual loyalty cards that can serve as a reliable means of authentication and authorization. The portal can be adapted to meet individual requirements, and is suitable for issuing all types of virtual identification cards such as student ID cards, library cards and discount cards. More information is available by visiting http://www.fun.de and http://www.webcard-loyalty.com.

Gemalto and Vodafone – Gemalto and Vodafone Group R&D have won an IDDY in the POC category for the development of a solution that adds strong authentication capabilities to OpenID using a Universal Integrated Circuit Card (UICC, typically a SIM card) inserted in a handset or inside a USB token, and is using either public key infrastructure (PKI) or a one-time password (OTP) as the underlying authentication technology. The application allows the use of distinct devices to access the service and to authenticate. The UICC (SIM) is used as a networked cryptographic computer exposing authentication services accessible via IP protocols. This provides users with new and convenient options for securely accessing OpenID-enabled sites from devices such as a PC, handset or game station.  Mobile network operators could offer a service to allow end users to leverage UICC-based OpenID single-sign-on to secure access to Web applications. More information is available by visiting http://www.betavine.net.

NRI, NTT and Oracle – NRI, NTT and Oracle have won an IDDY in the POC category for an application that demonstrates the possibility and practicality of achieving policy interoperability between OpenID and SAML. Both technologies include mechanisms designed to carry identity assurance information; OpenID uses the Provider Authentication Policy Extension (PAPE), while SAML uses its Authentication Context. While the two mechanisms are logically similar, until this proof of concept, they had not been demonstrated to be compatible. The application demonstrates how the number of services where an existing OpenID or SAML credential might be used could be effectively increased. A presentation reviewing the application is available at http://tinyurl.com/q5egag

This year’s winners join the growing list of IDDY Award recipients who have been at the forefront of successfully addressing some of the most challenging technology and policy issues in the global identity sector, with each winner delivering unique benefits to organizations and users. Previous winners of the IDDY include Aetna, Citi, Deutsche Telekom AG (a two-time winner), eBIZ.mobility, EduTech, NTT Labs, UNINETT, the New Zealand Government, Rearden Commerce and the UK Government Authentication Gateway. Kantara Initiative will issue the call for nominations for the 2010 IDDY Awards during 2Q 2010.

About the Kantara Initiative 2009 IDDY Award Judging Panel

The following individuals served on the 2009 Judging Panel: J. Trent Adams, trust & identity outreach specialist, Internet Society and chair of the Kantara Initiative Leadership Council; Mike Beach, CISSP, chief security designer, information security, The Boeing Company; Bob Bragdon, Publisher, CSO magazine; John Fontana, senior editor, Network World; Gerry Gebel, VP & service director, identity and privacy strategies, Burton Group; Paul Madsen, chair of the Kantara Initiative ID-WSF Evolution Work Group and identity standards researcher, NTT; RL Bob Morgan, senior technology architect, University of Washington; Nat Sakimura, senior researcher, Nomura Research Institute (NRI); Toby Stevens, director, Enterprise Privacy Group; Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president Oracle Identity Management; and Phil Windley, founder and chief technology officer, Kynetx. Panelists recused themselves from judging in categories where their organization had submitted a nomination. More information about the IDDY Award’s is available at http://tinyurl.com/ldteb2

###