I recently had the opportunity to speak with Joelle Kaufman of Reactivity about her company's latest Web services authentication offerings. (A transcript of the interview is posted here.) What's interesting is that Reactivity is concentrating on providing blanket authentication between the thick-client Microsoft world with the back-end legacy systems world.
There will be plenty of Web services running in and between our organizations, and we'll need a single sign-on authentication mechanism -- federated ID -- that can handle multiple users using multiple services. There has been a lot of tussling between the Microsoft and non-Microsoft camps about how authentication should be addressed. Big Red (Microsoft) has not signed on to Liberty Alliance/Security Markup Assertion Language (SAML). But let's face it, 90 percent of corporate desktops are running Windows, so thick clients cannot be ignored in any authentication plans.
Kaufman makes a compelling case for abstracting the authentication layer to handle any format -- Microsoft or non-Microsoft. "Even if Microsoft is pursuing it's own course, that shouldn't stop you from using all that Microsoft has to offer, and all that everyone else has to offer. You just need the infrastructure to abstract and mediate between them. So use Microsoft to generate IWA (Integrated Windows Authentication) credentials."
"You need an abstraction layer that says, 'I can talk all your different languages. So you do SAML this way, you do it that way, not a problem; I'll deal with that. And what comes into me, if it's SAML to SAML, that's great. If it's IWA Kerberos, needs to go to SAML, not a problem.' So the choice to the enterprise, wait for everyone to align, standardize on only one provider, or add an abstraction layer that gives you the flexibility."
This may help companies get more comfortable with adopting SAML or other protocols as they build out Web services. Adoption of SAML and Liberty Alliance has been, well, moving slowly. The latest Evans Data Web services finds eight percent are currently using SAML, and three percent have adopted the Liberty Alliance for authentication of Web services.
Kaufman agrees that SAML/Liberty have some way to go. "The vast majority of access control systems, 50 to 70 percent, are custom," she pointed out.