OSCON: Open-Sourcing Identity

Published 2008-07-23    Printer-friendly version

Atlassian's Dave O'Flynn announced a new (and as yet unnamed) open source identify management project at OSCON. Atlassian's effort is intended to address the shortcomings of existing identification systems such as LDAP, SAML and OpenID.

O'Flynn began with a discussion of current identity management systems, describing their implementations as painful and rife with annoying problems. He outlined four requirements for such systems:

• Authentication - is are you really you?
• Authorization - what you are allowed to do?
• Info about the user - email, address, etc. Not realted to authorization.
• Info about the other users on the system - necessary if you need to interact with those users.

Existing solutions do not meet all of those requirements:

• LDAP is a standard query language for finding info about people. It's like SQL - it's the same across all databases until you want to do something interesting. You need a complex compatibility layer to handle all the permutations. LDAP supports authentication, authorization, user data, and details about other users. The biggest problem is LDAP is just too hard to work with. It can take a year to learn all the quirks of the different implementations.
• OpenID has been getting a lot of press. For instance, MySpace is giving all its users an OpenID but oddly you can't use an existing OpenID at MySpace. The big problem with OpenID is that you're asking people to remember a URL. OpenID also doesn't support proper authorization so you still have to store the permissions on your site. OpenID 2 supports attribute exchange, but there's still no way to find out who else is on the system.
• SAML stands for Security Assertion Markup Language. This is a great idea employing digitally signed XML, but it's too difficult to use. Also any companies that want to use the system need to exchange public keys. SAML isn't useful for discovering other users.
• Information Cards/Cardspace. Microsoft's effort provides some good .NET tools but has similar problems to SAML. There is no authorization or discovery of other users.
• Acegi/Spring Security - This product is popular with Java developers and provides authentication and basic authorization.

Faced with the limitations of existing identify management solutions Atlassian recently decided to implement and publish its own solution. The product will be a set of REST APIs along with a test suite to allow anyone to create their own implementation. The data store and the APIs are separable so you can change back ends as needed. In the worst case scenario you'll have to change the URL of the server.

While the authentication portion could be used anywhere identity is needed (such as a publicly available web app) the authorization part of the API is more likely to find use within organizations where credentials can be internally administrated. This API won't be suitable for all situations; the goal is to handle the easy 80%.

Atlassian hopes to have a basic version out for Christmas-ish. Chances are there will be a few revisions of the API, and once the specifications have settled down they'd like to take the API to one of the standards organizations.

Interoperability is important - this system needs to be able to work with existing systems like SAML, and will not invalidate that investment. The focus is to make identify management easier for app developers.

Licensing will be permissive, most likely something like BSD or Apache.

Printer-friendly version

Copyright © 1999-2009 by CoveComm Inc. All Rights Reserved. Reproduction in any form without the express written consent of CoveComm Inc., except as described in the subscription agreement, is prohibited.

Clarion Magazine ISSN 1718-9942