'

Microsoft pushes standardized SSO at RSA

If a company chose to stop relying on passwords and use smartcard strong authentication for their Active Directory infrastructure, the benefits of strong authentication would automatically extend to all the other WS-Federation peers.

[Updated: 9:40 AM]

Bill Gates and Microsoft kicked off the 2006 RSA conference in San Jose this year, and a key part of their message was identity federation using the WS-Federation standard.  The WS-Federation Web Services standard was created by IBM, Microsoft, BEA Systems, RSA Security, and VeriSign to promote simplified SSO (Single Sign On) authentication across dissimilar applications and organizations.

What's significant is that Microsoft has added native WS-Federation capability to Windows Active Directory and bundled it with Windows Server 2003 R2 with the new ADFS (Active Directory Federation Services) component.  This means that Microsoft has extended its Active Directory reach to the Internet and can interoperate with other organizations that may or may not be running Windows Active Directory.  This directly impacts every organization that has to deal with multiple login accounts in a very positive way.

To see this in a real world situation, imagine if Company-A needed to outsource its timecard and payroll services to Company-B.  Traditionally when Company-A employees need to securely log in to Company-B's website to access their timecard, they usually have to be issued a password by an administrator first before they can get in to the system.  What tends to happen is that most people simply use one of their existing passwords or they use something different and end up forgetting their passwords and have to call tech support to get back in to the system.

If Company-A and B sets up a WS-Federation link instead, then employees from Company-A would simply use their existing Active Directory credentials or even just automatically log in to Company-B's timecard site which might be running LDAP authentication internally or anything else that's compatible with WS-Federation.  This not only simplifies management of the entire system, but it makes life easy for the users because they no longer need to deal with multiple authentication schemes and multiple passwords.

From a security standpoint, this is vastly superior to managing separate user databases for each organization.  In this particular case, Company-B would have never had the chance to see user A's password since they were never in the business of managing Company-A user passwords in the first place.  This essentially reduces the footprint of sensitive password data and reduces the chances for password compromise.  This same principle not only applies to inter-organization SSO, but also inter-application SSO.

If a company were to implement something like Oracle 10g Application Server (which supports WS-Federation), they could directly tie it in to the company's ADFS infrastructure.  This frees Oracle 10g from having to rewrite a separate secure authentication mechanism because it would delegate that responsibility to ADFS or whatever centralized WS-Federation capable user directory a company is using.  If a company chose to stop relying on passwords and use smartcard strong authentication for their Active Directory infrastructure, the benefits of strong authentication would automatically extend to all the other WS-Federation peers.  Without a federated approach, every organization and application would have to reinvent the wheel every single time they want to roll out a better solution like smartcards and that simply isn't practical.