Show Us Your ID

The proliferation of distributed Web-based applications complicates the task of identifying online users. SAML might be the answer.

by / July 9, 2004
For years, counties have struggled to automate one of government's most paper-intensive transactions. The recording of land documents leapt forward in the mid-1990s when imaging technology first turned paper deeds, titles and releases into digital images that could be electronically captured, indexed, stored and retrieved at will.

But the documents, so vital to property transactions, still arrive from title and mortgage companies in paper form, signed by the parties involved and witnessed by notaries to ensure the transaction is legal and binding. Even with the advent of electronic forms to automate land document creation and the Web to inexpensively link registries of deeds with lenders and title companies, there has been no manageable way to reliably identify all players involved in the exchange and recording of land documents.

But that may be changing.

Last year, a group of lenders, title companies and counties created a method for identifying parties involved in the electronic exchange and recordation of title documents. The County Land Document Recordation Exchange allows users to log on once and enter into trusted transactions over the Internet. Rather than taking weeks to process, as is the case with paper documents, these electronic title recordings take place in minutes.

Say Hi to SAML
Several factors coalesced to make this happen, most notably the security assertion markup language (SAML) standard -- a type of extensible markup language (XML) that allows users to log on to one Web site and be recognized by any affiliated organization.

In the case of land records, a large lender can use SAML to manage employees' identities as they create mortgage documents and exchange them with title companies and county deeds registries without forcing all partners to adopt the same technology for purposes of security and authentication.

SAML is an outgrowth of Web services, which allow citizens or businesses to visit one Web location and carry out a variety of transactions involving several different applications. Web services allow interactions without overhauling underlying systems, some of which might be Oracle databases running on UNIX or a custom-made application sitting on top of Windows NT.

Web services also allow computer-to-computer transactions, reducing human interaction and labor costs. But for Web services to reach their full potential in government, identification is crucial.

"The problem with identity management in the past has been that data and people are spread all over," said Rick Caccia, director of product management for Oblix Inc., an identity management software firm. "Access rights are stored in different locations. Portals have spread a Web veneer across applications without solving the identity issue."

State and local governments haven't had a cost-effective way to let users log on once and conduct a series of transactions across several agencies. Now identity can be readily established. SAML asserts a user's identity across Web services, and affiliated entities recognize the user, rather than each organization having its own centralized identity management system. SAML provides the level of trust necessary for the complex web of relationships that have risen with the adoption of Web services, according to experts.

With SAML, state and local governments no longer have to rely on expensive centralized identity management systems to identify users who operate in an increasingly decentralized online world. Instead, they can begin building federated identity management systems, in which identities are interoperable and mobile.

Federating Through Alliances
The use of SAML and the growth of federated identity management have largely come from the Liberty Alliance Project, a consortium of more than 150 organizations, including software firms and governments -- primarily national, including the U.S. General Services Administration (GSA). The alliance is unusual because it is user-oriented, not technology-based, according to Simon Nicholson, chair of the Liberty Alliance business and marketing expert group and manager of strategic initiatives at Sun Microsystems.

"We are heavily focused not just on establishing new bonds of trust but also on privacy," Nicholson said. "Everything we do is vouched for by privacy experts."

The Liberty Alliance took SAML and other emerging standards, and developed specifications from them for federated identity management. One set of specifications focuses on single sign-on and account linking between partners with trusted relationships. Another set of specifications allows trusted partners to link identities with other groups.

A growing number of identity management companies are writing software programs that comply with Liberty Alliance specifications and support SAML, including Oblix, Ping Identity, HP and Sun, to name a few. Two notable exceptions are IBM and Microsoft, are developing their own specifications.

Government Tackles ID Problem
The concept of federated identity management is not new. Credit card companies established the model so transactions could be verified through card-issuing banks. Rather than one bank attempting to manage identities and relationships with millions of customers and retailers, each bank controlled its own relationship with consumers and merchants.

Now digitally based federated identity management systems can be found at AOL, in the financial services industry, and increasingly, in government.

Nearly 30 percent of Oblix's business is in government, Caccia said, including government-to-government, government-to-citizen and government-to-business applications. Internationally Belgium's government is using Oblix for identity management for its e-government portal, which will eventually support 70,000 workers and 10 million citizens with single-password access to tax applications, online databases and form submission services.

In the United States, the GSA is running tests at the federal level, through its E-Authentication Initiative, to demonstrate the interoperability of SAML-based solutions to government agencies. So far, three products from HP, Oblix and Sun have been tested, the GSA said.

The Navy recently announced it will roll out a communications system using the NetPoint tool from Oblix with Microsoft Windows Server and Active Directory. Eventually tens of thousands of Navy personnel will securely share data through Web services on the Navy's portal by exchanging SAML-based identities.

At the state and local level, experts agree the potential for federated identity management using SAML is huge. Nicholson said law enforcement agencies could benefit from such a system because it would give police officers simple but secure access to sensitive criminal information from various sources.

It could also be used for disaster recovery. Federated identities could allow public safety officials to exchange information rapidly among trusted partners (state police and local first responders) without using expensive technology.

For now, however, the property records exchange application is furthest along. The project involves NeuStar, a Liberty Alliance member and identity management software firm; ACS, a government outsourcing firm with numerous county registries as its clients; and an unspecified number of title and lending firms.

It also involves 15 counties and approximately 2,000 users, said John Ticer, NeuStar's vice president of Identity Services.

Users swipe smart cards through readers to access the system. The cards contain digital certificates, which identify the users and can be passed along within what is known as a "circle of trust." As other lending companies and counties join the County Land Document Recordation Exchange, they become part of the identity network and validate their own users as partners within the circle of trust.

This minimizes the spiraling number of log-on credentials needed by users as they exchange documents with an ever-growing number of partners.

"This is a very powerful application that is generating significant benefits in time and cost savings for the participants," Ticer said, adding that by making the process entirely electronic, from beginning to end, error rates, which are common when paper documents are filed, have largely been eliminated.

Because the exchange is based on Web services and is SAML compliant, computer upgrading is minimal.

"This is a direct implementation of SAML," Ticer said. "The Liberty Alliance added attributes that allow many-to-many transactions to occur."
Tod Newcombe Features Editor